Cipher missing from server post Server Certificate renewal
-
@prashant-joshi Restart everything, stop OpenVPN, delete problematic cert, issue new server certificate, select in OpenVPN, start OpenVPN.
-
@prashant-joshi said in Cipher missing from server post Server Certificate renewal:
Renewed: Server certificate (which was in use by the server, not CA)
It is missing post-renewal, from the left.
pfSense Version: 23.05.1-RELEASE
The list of available encryption schemes is determined by you cert.
-
@prashant-joshi said in Cipher missing from server post Server Certificate renewal:
Renewed: Server certificate (which was in use by the server, not CA)
It is missing post-renewal, from the left.
pfSense Version: 23.05.1-RELEASE
The list of available encryption schemes is determined by you cert.
-
@prashant-joshi said in Cipher missing from server post Server Certificate renewal:
23.05.1-RELEASE
I've tried all sort of combinations with settings and certs to see if I could find the situation.
But we don't have the same pfSense (I'm using 23.09.1) and OpenVPN version (I'm using 2.6.8) which makes comparing difficult.
-
Did twice but no luck...
-
@prashant-joshi You deleted and recreated the server cert twice? Maybe you selected something in "Hardware Crypto"?
-
@NightlyShark I have simply renewed the cert not deleted the olderone.
-
@prashant-joshi I had stumbled upon a bug, where if the cert took a long time to generate (tried 16k RSA), the gui would behave like it had finished with the cert, but a background process remained active (creating the cert), for up to 20 minutes later...
-
@NightlyShark in my case cert shows properly renewed.
Another thing I tried to save server settings it's giving me the "One or more of the selected Data Encryption Algorithms is not valid." error
-
@prashant-joshi That means that when renewing the cert you changed ciphers and now it gets all confused. Just delete, both the cert and the server profile, and recreate. Unless there is a Gateway or a custom OpenVPN interface (for the fw rules) involved, then just try to delete the cert.
-
@prashant-joshi Also, check out the logs for OpenVPN.
-
@NightlyShark when I am trying to add new server still the left side Cipher is blank.
-
@prashant-joshi You need to select a certificate, first :)
-
@NightlyShark Even after selecting the server Cert nothing changed. Still the left side is missing and blank.
-
@prashant-joshi Friend, I am this close to asking a stranger(you) to let me AnyDesk this...
-
@prashant-joshi At this point of the head-scratching process, I would reinstall (remove and install) the OpenVPN package manually via cli.
-
@Gertjan are you really on 23.05.1 ? I would move to current supported version 23.09.1 - there has been multiple changes, big one is jump to open ssl3, and I know the openvpn version has also been updated.
23.05.1 is no longer on the supported list.
If it was me, I would upgrade to current, and if your certs are still not working... Create new..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz We tried TS via anydesk (as securely as possible...) and in the end, it was throwing the "libssl.so.30 not found" error. In about 3 hours (when their workplace will empty) they will attempt the update.
I wonder why I was spared from that when I updated, with my 2+ year old certs... Maybe because I have everything ECDSA.
-
@NightlyShark said in Cipher missing from server post Server Certificate renewal:
ECDSA
I am pretty much exclusively using those.. I just created a couple for my new cams I got.. I might have some older but have started using those for the last few years.. And using those for my openvpn stuff.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz And... a little bird told me that the only secure curve that was not recommended by certain people that are known to be allergic to public encryption (caugh, PRISM!, caugh) was secp521r1...
