[Linksys] Error message: Peer certificate verification failure

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

apn3a
OpenVpn Newbie
Posts: 5
Joined: Fri Jan 07, 2011 9:53 pm
Location: Athens-Greece, NY, Boston

[Linksys] Error message: Peer certificate verification failure

Post by apn3a » Sun Oct 09, 2022 4:23 pm

Hello,

i own a Linksys WRT 3200ACM router that supports openvpn server out of the box.

i've been running that said server for the past 5 years.

Today, out of the blue, i received the above error and i cannot connect to the server. Researching online and on openvpn forums, it seems that the server certificate has expired (viewtopic.php?t=32568)

i checked the configuration that gets generated by the router's interface, as you will see it has a 10-year validity and expires today:

<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Irvine, O=Linksys, OU=Belkin, CN=Mamba/name=BlackMamba/emailAddress=support@linksys.com
Validity
Not Before: Oct 11 06:00:52 2012 GMT
Not After : Oct 9 06:00:52 2022 GMT
Subject: C=US, ST=CA, L=Irvine, O=Linksys, OU=Belkin, CN=client/name=BlackMamba/emailAddress=support@linksys.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:

i tried changing the date in the configuration file, but that didn't work - assuming it is embedded in the actual certificate.

I contacted linksys for this issue; however they asked me to raise a ticket with openvpn. below is the transcript of my conversation with them.

99.9% this is an issue with linksys and not with openvpn. but i would really appreciate it if you can give me some guidance on what to tell them or what needs to be done from their end.

If there's something that can be done by myself, more than happy to try it. i already tried deleting all configurations etc on the router and reissuing new ones. but i still get same error across all devices.

thanks

Jeziah May L (10/9/2022, 5:50:18 PM): Hello Minas. Welcome to Linksys Chat! My name is Jeziah, is this your first time with us?
Minas (10/9/2022, 5:50:40 PM): Hello, yes first time
Jeziah May L (10/9/2022, 5:51:00 PM): Can you tell me more about it?
Minas (10/9/2022, 5:51:43 PM): So, i purchased this router, and i was using open vpn server fine for the past 4-5 years without an issue. today i receive an error on the client side that the certificate has expired
Minas (10/9/2022, 5:52:25 PM): i researched a bit, and it seems that those openvpn server certificates do expire over time. there are some instructions on how to update them, but those are for openvpn servers not sitting on linksys routers
Minas (10/9/2022, 5:52:33 PM): i have no idea how these get updated on linksys
Jeziah May L (10/9/2022, 5:52:36 PM): im reading your messages
Jeziah May L (10/9/2022, 5:53:22 PM): our device is just vpn pass through and vpn is actually not supported
Jeziah May L (10/9/2022, 5:53:31 PM): it should be on a 3rd party Minas
Minas (10/9/2022, 5:53:33 PM): no that's wrong
Jeziah May L (10/9/2022, 5:53:39 PM): what do you mean
Minas (10/9/2022, 5:53:56 PM): WRT ac3200ACM has an openvpn server on the router
Minas (10/9/2022, 5:54:02 PM): it's supported out of the box
Minas (10/9/2022, 5:54:06 PM): it's not a pass-through
Jeziah May L (10/9/2022, 5:54:07 PM): it is a vpn passthrough the WRT3200
Jeziah May L (10/9/2022, 5:54:21 PM): what is the problem are you getting
Minas (10/9/2022, 5:54:35 PM): https://www.linksys.com/support-article ... Num=270535
Minas (10/9/2022, 5:54:41 PM): you can check how to set up the vpn here
Minas (10/9/2022, 5:54:54 PM): i am getting an expired certificate error when the client connects
Jeziah May L (10/9/2022, 5:55:09 PM): let me see what we can do for this concern you have hold on
Jeziah May L (10/9/2022, 5:56:00 PM): If you do not have an .ovpn file or account credentials, you need to contact the administrator of the OpenVPN server. If you are the admin of your server, contact OpenVPN.
Minas (10/9/2022, 5:57:34 PM): viewtopic.php?t=32568
Minas (10/9/2022, 5:57:43 PM): Jeziah you are not getting it
Minas (10/9/2022, 5:57:52 PM): i am the administrator
Minas (10/9/2022, 5:57:54 PM): i own the router
Minas (10/9/2022, 5:58:04 PM): i enabled the server through the router's interface
Jeziah May L (10/9/2022, 5:58:12 PM): oh i see
Jeziah May L (10/9/2022, 5:58:18 PM): im reading your messages
Minas (10/9/2022, 5:58:47 PM): this router is one of the very few linksys routers that support openvpn server out of the box
Minas (10/9/2022, 5:58:51 PM): are we clear so far?
Jeziah May L (10/9/2022, 5:59:08 PM): Yes I understand
Minas (10/9/2022, 5:59:11 PM): great
Jeziah May L (10/9/2022, 5:59:24 PM): that is the only router yes that supports openvpn
Minas (10/9/2022, 5:59:36 PM): now, it seems that the certificates on the server (inside the router) have expired
Minas (10/9/2022, 5:59:46 PM): there are no instructions from linksys on how to update them
Minas (10/9/2022, 5:59:55 PM): and there's no information available online
Jeziah May L (10/9/2022, 5:59:57 PM): I would like to know when did you get the error? was that opebVPN server works before?
Minas (10/9/2022, 6:00:15 PM): it was working fine till yesterday. today i cannot connect after 5+ years
Minas (10/9/2022, 6:00:25 PM): viewtopic.php?t=32568
Minas (10/9/2022, 6:00:55 PM): there's this thread on openvpn. it explains what to do when the certificates expire. but obviously, it's no help for me as those instructions aren't meant for linksys routers
Minas (10/9/2022, 6:02:15 PM): when i enabled the server 4-5 years ago, apparently those certificates that got issued within the router had an expiration date. i assume that not even linksys was aware of that. now, 5 years later, those certificates expired. and i cannot connect to my router.
Jeziah May L (10/9/2022, 6:02:35 PM): Alright, we would like to know if you have gone some changes lately on your router?
Minas (10/9/2022, 6:02:39 PM): nothing
Minas (10/9/2022, 6:02:49 PM): and i am running the latest firmware
Jeziah May L (10/9/2022, 6:03:08 PM): have you been able to configure VPN right?
Minas (10/9/2022, 6:03:12 PM): yes
Jeziah May L (10/9/2022, 6:03:15 PM): your problem is just the devices?
Minas (10/9/2022, 6:03:20 PM): everything was working fine for the past 5 years
Jeziah May L (10/9/2022, 6:03:21 PM): client devices?
Minas (10/9/2022, 6:03:26 PM): today none of my devices/clients work
Jeziah May L (10/9/2022, 6:03:32 PM): copy
Jeziah May L (10/9/2022, 6:03:38 PM): one moment
Minas (10/9/2022, 6:03:39 PM): because the certificate (on the server) has expired
Jeziah May L (10/9/2022, 6:05:12 PM): alright
Minas (10/9/2022, 6:05:34 PM): ⏎[Oct 9, 2022, 18:04:24] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
⏎[Oct 9, 2022, 18:04:24] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Oct 9, 2022, 18:04:24] EVENT: DISCONNECTED ⏎[Oct 9, 2022, 18:04:25] Raw stats on disconnect:
BYTES_IN : 2365
BYTES_OUT : 339
PACKETS_IN : 4
PACKETS_OUT : 3
SSL_ERROR : 1
CERT_VERIFY_FAIL : 1
Jeziah May L (10/9/2022, 6:05:35 PM): let us see what we can recommend for that since issue is with the devices
Minas (10/9/2022, 6:05:59 PM): this is the error i get - because it cannot verify the certificate
Minas (10/9/2022, 6:07:01 PM): openvpn on the mac says: Connection Failed. There was an error attempting to connect to the selected server. Error message: Peer certificate verification failure.
Minas (10/9/2022, 6:07:17 PM): if you google this, the first thread you get is the one i shared with you
Jeziah May L (10/9/2022, 6:07:26 PM): I got you
Minas (10/9/2022, 6:07:26 PM): viewtopic.php?t=32568
Jeziah May L (10/9/2022, 6:07:29 PM): hold on
Minas (10/9/2022, 6:07:32 PM): thanks
Minas (10/9/2022, 6:08:35 PM): 2nd page describes the actual problem and the solution
Jeziah May L (10/9/2022, 6:09:33 PM): alright one moment
Jeziah May L (10/9/2022, 6:11:17 PM): https://www.linksys.com/support-article ... Num=157327 have you tried this one?
Minas (10/9/2022, 6:12:04 PM): obviously, these are the instructions on how to setup the server and the clients
Minas (10/9/2022, 6:12:19 PM): i wouldn't be using the server for 5 years now hadn't i done this
Jeziah May L (10/9/2022, 6:12:32 PM): and after that you are still getting the error?
Minas (10/9/2022, 6:12:44 PM): i don't think you understand me man
Minas (10/9/2022, 6:12:59 PM): the instructions you shared are not the solution to my problem
Minas (10/9/2022, 6:13:08 PM): they are the generic instructions to set up the server
Minas (10/9/2022, 6:13:13 PM): i've done this, 5 years ago
Minas (10/9/2022, 6:13:20 PM): and was working fine till today
Minas (10/9/2022, 6:13:40 PM): can you please escalate this to someone more senior?
Jeziah May L (10/9/2022, 6:14:06 PM): can you hold on sir? we are doing our best to assist you with this
Jeziah May L (10/9/2022, 6:14:16 PM): we understand your concern
Minas (10/9/2022, 6:14:20 PM): yes but you are not listening to me
Minas (10/9/2022, 6:14:25 PM): we keep spinning around the same thing
Minas (10/9/2022, 6:14:31 PM): i pinpointed the exact issue
Jeziah May L (10/9/2022, 6:14:38 PM): I understand
Minas (10/9/2022, 6:14:40 PM): i am telling you exactly what's wrong
Minas (10/9/2022, 6:14:45 PM): and you are sending me generic instructions
Minas (10/9/2022, 6:14:53 PM): please escalate it
Jeziah May L (10/9/2022, 6:15:54 PM): let me see what we can do thanks
Minas (10/9/2022, 6:16:05 PM): thanks
Jeziah May L (10/9/2022, 6:17:50 PM): alright
Jeziah May L (10/9/2022, 6:26:01 PM): hello sir/maam , we apologize for the inconvenience this may have caused you. Since you have configured the VPN and as you have said it was working fine for 5 years and all of a sudden it stopped. What linksys do is to configure the VPN, making sure the username and password is correct you have is correct. Beyond that about the certification error you are getting , we will advised you to contact openvpn.net
Minas (10/9/2022, 6:26:33 PM): this is an issue with the router, openvpn will ask me to contact linksys
Minas (10/9/2022, 6:26:38 PM): within*
Minas (10/9/2022, 6:27:11 PM): if you fail to realize what the issue is, you will keep giving me wrong advise
Minas (10/9/2022, 6:27:35 PM): linksys build a router that supports openvpn server
Minas (10/9/2022, 6:27:52 PM): they didnt say "buy this router, and when you have issues with openvpn, contact them"
Minas (10/9/2022, 6:29:12 PM): the openvpn code that linksys added to this router to support openvpn server, clearly is not MAINTANTED through firmware updates. if there are dependencies that need to be updated WITHIN the router, this is linksys responsibility, not openvpn
Jeziah May L (10/9/2022, 6:29:46 PM): sir there is a 3rd party involve for this and we have no visibility on where to check or get the update of certificate since that is the issue you were having right now and the only way we can figure it out is to contact openvpn
Minas (10/9/2022, 6:30:43 PM): this is why it needs to be escalated to the engineering team withing linksys that enabled openvpn server for this router
Minas (10/9/2022, 6:30:59 PM): i don't expect you to have a solution to this
Minas (10/9/2022, 6:31:07 PM): i expect you to escalate it to the concerned team
Jeziah May L (10/9/2022, 6:31:40 PM): we will raise this concern you have sir
Minas (10/9/2022, 6:31:54 PM): this is not a concern. this is a problem i am facing.
Minas (10/9/2022, 6:32:10 PM): and i need you to raise a ticket so we can have proper follow up
Jeziah May L (10/9/2022, 6:32:20 PM): for now what we can do is for you to contact openvpn.net and if they will advised you to contact us back then we can provide you a case number
Jeziah May L (10/9/2022, 6:32:44 PM): yes we can give you a ticket / case number 15120913
Minas (10/9/2022, 6:32:52 PM): I will open a ticket with them now
Jeziah May L (10/9/2022, 6:33:10 PM): we apologize for the inconvenience this may have caused you
Minas (10/9/2022, 6:33:22 PM): how can i follow up to the case number?
Minas (10/9/2022, 6:33:32 PM): i just come to the chat here and give it to the agent?
Jeziah May L (10/9/2022, 6:33:53 PM): just provide it to the next agent or call us with this hotline number 1-800-326-7114
Minas (10/9/2022, 6:34:01 PM): thank you, Jenziah
Jeziah May L (10/9/2022, 6:34:42 PM): We apologize once again Minas but thank you for your feed back and for addressing your concern
Jeziah May L (10/9/2022, 6:35:24 PM): Should you need further assistance with your Linksys device, feel free to chat with us again anytime. We are at your service 24/7 or call our hotline : 800-326-7114
Thank you for the opportunity to serve you through Live Chat for Linksys Products.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Error message: Peer certificate verification failure

Post by openvpn_inc » Sun Oct 09, 2022 5:26 pm

Hello apn3a,

The problem is obvious. The certificate is expired. OpenVPN can work with certificates so that the client can verify the identity of the server, and the server can verify the identity of the client. OpenVPN just takes the certificates you feed it and uses them. It checks them, it does server and client verification with them, but it does not generate them or alter them. You as the server administrator are responsible for providing correct certificates. In this case that would be you.

The theory is that when you set up your OpenVPN server you provide your server and your clients with a pair of private key and public certificate. And you need to make a certificate authority that will sign the server and client certificates. The clients and server can verify that they are signed by the certificate authority. The idea here is that someone with the right privileges that has control over the certificate authority can sign client and server certificates, so that only those that are signed by this same certificate authority can be used to connect to your OpenVPN server. There are additional verification options such as certificate revocation list, username/password authentication, checking X509 properties, and so on, but those are not relevant for the problem at hand.

The thing is, all the certificates generated have a start date and an end date. Your information shows that this certificate is clearly outside of those boundaries, and will therefore fail verification because of that single fact:
Not Before: Oct 11 06:00:52 2012 GMT
Not After : Oct 9 06:00:52 2022 GMT

I also want to point out that 1024 bit certificates are outdated and should be replaced with at least 2048 bit or perhaps better to use elliptic curve secp384r1. So for that reason alone I would want to recommend to wipe your certificate infrastructure and start over, on top of the issue you're facing now.

In the case of your Linksys router however I do not know if you have the necessary access or privileges to actually do this. I do not own a Linksys device and do not know how they have implemented the creation of a certificate authority and the necessary server and client certificates. I would suggest to look in your Linksys router if there is any option at all to replace the certificates. You're basically looking for a way now to reach into the Linksys router and get those expired certificates out and replace them, and to also replace the client certificates as well. So all the current connection configurations on the VPN clients need to be replaced as well so they get new certificates required to connect.

Unfortunately I do not have a Linksys router and therefore have no idea if this is possible or not using the web interface. For that I am afraid I have to direct you back to Linksys. Perhaps there is a way to get SSH or console access to the Linksys router so that you can go into the filesystem and replace the certificates yourself? Or perhaps Linksys has some commands you can run to wipe the old certificates and generate new ones from scratch on the router itself?

Basically the question that needs to be asked of Linksys is;
How can I replace the expired certificates that are in my Linksys router and are used for OpenVPN?

Hopefully they'll have an answer. Good luck.
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Error message: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 11:25 am

Hey apn3a,

Since we have 2 reports about the same issue I would like to examine the CA certificate that you are using on your Linksys router. But only the public portion of it, which is safe to give out. The public portion is used by the client to verify the identity of the server, but doesn't contain anything that should remain private. To be clear, other items like private keys and such should remain private as they're part of the security of making a VPN connection, but the CA public portion is one that can be freely distributed to anyone without security risk.

There are two ways client connection files are presented to users - as a set of separate files, in which case the file called "ca.crt" or "ca.pem" or such will be the file I'm looking for (and definitely NOT client.crt or client.key). If you get 1 file that has the certificates embedded I'm looking for the portion between <ca> and </ca> (and definitely not <cert></cert> or <key></key>).

I would like to get this certificate file from both you and the other guy experiencing the same issue, and compare the two. If there are similarities between them it might mean that Linksys has done a very bad thing in terms of security. And I hope I'm wrong about it but I want to verify anyway. I'd really appreciate if you could help me in my investigation and send me that CA certificate file.

The best way to send it is at https://openvpn.net/support by registering on our main website (it's free) and sending in a support ticket and referencing this forum post - that way it's sent via a secure channel and I'll receive it there.

I hope you'll help me investigate this situation further,
Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Arti82
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 10, 2022 2:01 pm

Re: Error message: Peer certificate verification failure

Post by Arti82 » Mon Oct 10, 2022 2:02 pm

Hello, I have a similar problem with linksys wrt3200 from yesterday problems with the certificate validity, in the vpn profile a certificate valid until 2031, the client receives a message about an invalid certificate

JeDiOpenVPN
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 10, 2022 2:03 pm

Re: Error message: Peer certificate verification failure

Post by JeDiOpenVPN » Mon Oct 10, 2022 2:06 pm

Hello,

I have received the same error today as well, and it seems that everyone with this router will receive the same. Linksys Support says that with this being 3rd party software that we need to direct this to your support team. When I went to your support last night, I was told that I need a paid account for me to receive help here. I have signed up for a free account under tssbilling@gmail.com, but further assistance is needed. I'll share the public certificate here with you.

-----BEGIN CERTIFICATE-----
MIID9zCCA2CgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMQ8wDQYDVQQHEwZJcnZpbmUxEDAOBgNVBAoTB0xpbmtzeXMx
DzANBgNVBAsTBkJlbGtpbjEOMAwGA1UEAxMFTWFtYmExEzARBgNVBCkTCkJsYWNr
TWFtYmExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAbGlua3N5cy5jb20wHhcNMTIx
MDExMDYwMDUwWhcNMjIxMDA5MDYwMDUwWjCBmDELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAkNBMQ8wDQYDVQQHEwZJcnZpbmUxEDAOBgNVBAoTB0xpbmtzeXMxDzANBgNV
BAsTBkJlbGtpbjEPMA0GA1UEAxMGY2xpZW50MRMwEQYDVQQpEwpCbGFja01hbWJh
MSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QGxpbmtzeXMuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCn3onfPsTQnqlK+LR3cz7cPvk952Ow8E9R9fBo7Lhs
8IHDkRZ/qSg3R57nOcCHWpYsNNAMMXMVmUs2GqE8PSpAWDMbY6XLsFYhT39sfW1N
WpAFTc/wdt3WXN47sCMmk6uwj/a9jYEbe6an5Rh05EfSpI939RUXWQZfE0UYWAb4
rQIDAQABo4IBTjCCAUowCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1S
U0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRXSFqmkgK7QKsDlelb
b7zvq458kzCBzAYDVR0jBIHEMIHBgBTggnnoFe7nI8GvHmcjgfFZUA9CTKGBnaSB
mjCBlzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQHEwZJcnZpbmUx
EDAOBgNVBAoTB0xpbmtzeXMxDzANBgNVBAsTBkJlbGtpbjEOMAwGA1UEAxMFTWFt
YmExEzARBgNVBCkTCkJsYWNrTWFtYmExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
bGlua3N5cy5jb22CCQDpIJqCdz4H8jATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNV
HQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAMfFON2WzXP7wUcVCBsAtaP8P0gA4
BIun7SZ+43dmXY+U+kG3rYHZE4OL9G7Al0nf7sZsHHjsg8ozUHd/rCIQLsoRaLry
5VQbNIcWG/BH5AOFfnho0ZULZhV8hIyndzjtwtvYjCHXPauT9t0TRYTafIh691Ve
3x0gWDXep0x2k+U=
-----END CERTIFICATE-----

This way, you can see that it very clearly expires on October 8th... Looking inside the .opvn file, I can see that it has the following:
Validity
Not Before: Oct 11 06:00:50 2012 GMT
Not After : Oct 9 06:00:50 2022 GMT

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Error message: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 2:09 pm

Hello Arti82,

When checking certificates all the certificates must pass. That means the CA certificate itself must pass the validity check, the client certificate must also pass the validity check, and finaly the server certificate too. It is possible that the client certificate was generated with an expiration date in 2031 while the CA certificate expired on October 9th 2022. You can examine each certificate individually to see what the status of each is. If even one of them is expired, the verification will fail because of that.

Currently I am collecting information on Linksys router certificate implementation to confirm some of my suspicions.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

JeDiOpenVPN
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 10, 2022 2:03 pm

Re: Error message: Peer certificate verification failure

Post by JeDiOpenVPN » Mon Oct 10, 2022 2:12 pm

Arti82 wrote:
Mon Oct 10, 2022 2:02 pm
Hello, I have a similar problem with linksys wrt3200 from yesterday problems with the certificate validity, in the vpn profile a certificate valid until 2031, the client receives a message about an invalid certificate
If you've changed it manually in the .opvn file, it actually still needs to be part of what is encoded. If you look at the similar portion of what I posted and bring it to sslshopper, https://www.sslshopper.com/certificate-decoder.html, you can see the true details of the cert portion of the file.

Arti82
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 10, 2022 2:01 pm

Re: Error message: Peer certificate verification failure

Post by Arti82 » Mon Oct 10, 2022 2:21 pm

Ca Valid to october 8, 2022

Chris H_UK
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 10, 2022 2:18 pm

Re: Error message: Peer certificate verification failure

Post by Chris H_UK » Mon Oct 10, 2022 2:21 pm

Thanks for the post John. I too saw the saw issue starting yesterday and the certificate indicated it did not expiry until 2028...
I have via a support ticket uploaded the <CA> </CA> portion of the certificate you were looking for.

Hope it helps.

Regards
Chris.

JeDiOpenVPN
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 10, 2022 2:03 pm

Re: Error message: Peer certificate verification failure

Post by JeDiOpenVPN » Mon Oct 10, 2022 2:22 pm

openvpn_inc wrote:
Mon Oct 10, 2022 2:09 pm
Hello Arti82,

When checking certificates all the certificates must pass. That means the CA certificate itself must pass the validity check, the client certificate must also pass the validity check, and finaly the server certificate too. It is possible that the client certificate was generated with an expiration date in 2031 while the CA certificate expired on October 9th 2022. You can examine each certificate individually to see what the status of each is. If even one of them is expired, the verification will fail because of that.

Currently I am collecting information on Linksys router certificate implementation to confirm some of my suspicions.

Kind regards,
Johan
Hi Johan,

Would you be able to provide us the correct file(s) to resolve this issue, or is that even possible with the type of configuration we have here?

Arti82
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 10, 2022 2:01 pm

Re: Error message: Peer certificate verification failure

Post by Arti82 » Mon Oct 10, 2022 2:27 pm

-----BEGIN CERTIFICATE-----
MIIDrjCCAxegAwIBAgIJAKaz7Ea9Y6yuMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExDzANBgNVBAcTBklydmluZTEQMA4GA1UEChMH
TGlua3N5czEPMA0GA1UECxMGQmVsa2luMQ4wDAYDVQQDEwVNYW1iYTETMBEGA1UE
KRMKQmxhY2tNYW1iYTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBsaW5rc3lzLmNv
bTAeFw0xMjEwMTEwNjAwNTFaFw0yMjEwMDkwNjAwNTFaMIGXMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExDzANBgNVBAcTBklydmluZTEQMA4GA1UEChMHTGlua3N5
czEPMA0GA1UECxMGQmVsa2luMQ4wDAYDVQQDEwVNYW1iYTETMBEGA1UEKRMKQmxh
Y2tNYW1iYTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBsaW5rc3lzLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAon4Fs1cTkslYA9wlkCX9+/xe3U8bmf+5
m4RtdPhmy/TYNDoWB4h+3CbtyeERSD/sh0+kWcqhlXQXAXriY/8qK80XBMTj+xnC
5sGqu3RbKWNc4nFLYOjfES9ua83bZEQ7TLZ6h0O/J7r6Hkt+m8Awxm3YPOMKQTIT
yMEtegTcsMUCAwEAAaOB/zCB/DAdBgNVHQ4EFgQU4pFBMlx2eXOZ3mLNuXxVxUNS
6F0wgcwGA1UdIwSBxDCBwYAU4pFBMlx2eXOZ3mLNuXxVxUNS6F2hgZ2kgZowgZcx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEBxMGSXJ2aW5lMRAwDgYD
VQQKEwdMaW5rc3lzMQ8wDQYDVQQLEwZCZWxraW4xDjAMBgNVBAMTBU1hbWJhMRMw
EQYDVQQpEwpCbGFja01hbWJhMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QGxpbmtz
eXMuY29tggkAprPsRr1jrK4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQCYviwnrikWZqQHlN2VZFIZULbZkYiuK7xUPOsy6iePNDbQaXXL0Fs3Ac8rOfLv
v6rb6309menN3pNIzipYOaEeBcAf5NKjBuqCK9WGJqQfgK/NkL6efWMSGBxx9HzH
djFP8jWAQlZDbcSqzBvrdD3z9gAgicAsiRHSaf3zChN6lQ==
-----END CERTIFICATE-----

countzero
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 10, 2022 2:27 pm

Re: Error message: Peer certificate verification failure

Post by countzero » Mon Oct 10, 2022 2:28 pm

can confirm same issue on linksys 1200ac :/

Code: Select all

        Validity
            Not Before: Oct 10 18:18:21 2017 GMT
            Not After : Oct  8 18:18:21 2027 GMT
16:41:39.866 -- VERIFY FAIL: depth=1, /C=US/ST=CA/L=Irvine/O=Linksys/OU=Belkin/CN=Mamba/name=BlackMamba/emailAddress=support@linksys.com, signature: RSA-SHA1 [certificate has expired]

16:41:39.867 -- Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

16:41:39.868 -- EVENT: CERT_VERIFY_FAIL info='OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'
Last edited by countzero on Mon Oct 10, 2022 2:45 pm, edited 1 time in total.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Error message: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 2:44 pm

Hi Jed,

Unfortunately no, we are not able to fix this. It is 100% a Linksys bug, and even they won't have an easy fix for it. (Even if they do have someone on staff who knows enough about openvpn to understand the issue; which at this point appears uncertain.)

What they need to do is release new firmware which will generate a new CA certificate on each device. But even then, every previously issued client config file is useless. Each client will need a new certificate, signed by the new CA.

We're sorry our users are feeling this pain. Truly. But we built openvpn(8) software for security, and it is doing what it was designed to do: to refuse to validate expired TLS certificates.

There is no sane workaround for that. You could set all system clocks back some years, and then you'll be okay until the next occurrence of 2022-10-08, but you'll have pain with other software that needs to know the real date.

And another issue yet to be determined: if every Linksys user is using the same CA certificate, this could be a massive zero-day vulnerability. No, the routers with the expired certificates are not vulnerable (nor even usable!) but it could mean their more recent products have the same flaw, but with currently valid CA certificates.

I'm wishing we could help more, uh, well, I can in a way. OpenVPN Access Server has a workaround for expiring CA certificates. Access Server generates a new CA every year, so each client/server certificate is valid for at least 9 years. When the time is up for any given client, the user can simply and easily obtain a new profile.

That said, we're not here to sell you proprietary software; we are here to support our open source community. But it could be of interest to know how we dealt with this in Access Server.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Error message: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 3:06 pm

Hello everyone in this thread,

rob0 is right in that we unfortunately can't do anything to solve it from our end. We made an announcement about the situation on the forums and are redirecting everyone there now. The good news is at least that after examining a number of CA certificates sent in by users of Linksys routers that were affected it has become clear that the CAs are at least unique, which is quite important for security. However the expiration date issue is still one that remains unresolved, and only Linksys can really do anything about it.

The announcement regarding the Linksys certificate verify failed issue:
viewtopic.php?t=34874

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by jaakdaniels » Thu Oct 13, 2022 5:27 pm

Same problem here, also a WRT3200ACM and suddenly error on the VPN connection. Also certificate problem.
Should Linksys be working right now on a solution and how long will it take...?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: [Linksys] Error message: Peer certificate verification failure

Post by openvpn_inc » Thu Oct 13, 2022 5:46 pm

Hello jaakdaniels,

Linksys is the only one that can provide a solution on the affected devices.

See this thread regarding the Linksys certificate verify failed issue:
viewtopic.php?t=34874

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

epalite
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 14, 2022 3:16 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by epalite » Fri Oct 14, 2022 3:18 pm

Same problem with WRT1900ACSv2. Thanks Johan!

jeremys
OpenVpn Newbie
Posts: 6
Joined: Thu Jul 21, 2022 8:02 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by jeremys » Sat Oct 15, 2022 2:38 am

same problem on my linksys. I guess buying another companies router would be a solution?

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: [Linksys] Error message: Peer certificate verification failure

Post by ordex » Sat Oct 15, 2022 1:00 pm

IMHO that might be the fastest solution, yes. Unless your router can be reflashed with OpenWRT and in that case you can take full control over its software.

cmwalden
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 17, 2022 12:33 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by cmwalden » Mon Oct 17, 2022 12:36 pm

I ran into this a while back and found no help but only things like this discouraging thread. I flashed my router with the openwrt firmware and installed openvpn. The process was pretty simple and got everything back on track with some new functionality.

Post Reply