Page 1 of 1
Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 12:23 pm
by Terranon
Hello everyone,
After expiration of the certificate I proceed to a successful renewal.
Only when I try to connect my OpenVPN client shows that the certificate has expired.
I compared my certificates and nothing differs.
All network clients have the same problem.
Do you have an idea ?
Here is what the log displays :
Code: Select all
Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Jun 22 13:54:29 2020 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun 22 13:54:29 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Jun 22 13:54:29 2020 TLS Error: TLS handshake failed
Best regards,
--
Terranon
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 1:10 pm
by TinCanTech
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
After expiration of the certificate I proceed to a successful renewal
It would appear to be not so successful .. how did you
renew ?
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 2:01 pm
by Terranon
Yes the VPN server did not display any error message when renewing the certificate
The VPN server is on a Synology NAS.
The renewal procedure is available through the Synology GUI:
Select: Renew the certificate, then Next
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 3:10 pm
by TinCanTech
I believe it is the client certificate which has expired.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 5:37 pm
by Pippin
IIUC the certificate changed, you have to re-export the client configuration in OpenVPN Server (in DSM).
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 6:02 pm
by Terranon
I would have liked, but the versions of the certificate are identical on both sides.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 6:09 pm
by Terranon
Hello Pippin,
Re-export the client configuration in OpenVPN Server (in DSM) ? I look at this.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 6:37 pm
by Terranon
Sorry Pippin,
I don't see how to import the client configuration into the DSM.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 6:48 pm
by Pippin
You need to re-import that into your client.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 7:08 pm
by Terranon
Export the client configuration from DSM and import the files into the client configuration.
Yes, I already did this Pippin before opening my ticket on the forum.
I also restarted the VPN server as well as the DSM, but that didn't change anything.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 7:40 pm
by TinCanTech
Looking again:
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
So this is the client log
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Expired cert.
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:
tls_process_server_certificate:certificate verify failed
Server cert.
Probably explains this comment as well:
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
All network clients have the same problem
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Mon Jun 22, 2020 8:33 pm
by Pippin
Indeed @TinCanTech
There is a place in DSM, I think it's the certificates TAB, where you can select which service uses which certificate.
Is the correct certificate selected there?
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Wed Jun 24, 2020 12:50 pm
by Terranon
@Pippin
I have only one certificate. No other parameters have been changed. My operation on the DSM only consisted in renewing the existing certificate. Where can I control the services ?
@TinCanTech and @Pippin
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Wed Jun 24, 2020 1:14 pm
by TinCanTech
Terranon wrote: ↑Wed Jun 24, 2020 12:50 pm
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
VERIFY ERROR: depth=0, error=
certificate has expired: CN=*****************
The problem is quite clear and does not require
troubleshooting..
Technically, the problem has nothing to do with openvpn.
Re: Certificate renewed but openVPN client displays invalid certificate ?
Posted: Wed Jun 24, 2020 1:43 pm
by Terranon
Ok I close the discussion ; and thank you for your time.