OpenVPN service not working with PfSesne 2.4?!
-
Oh - system logs. I kept getting the same errors over and over. I'd completely remove an OpenVPN server, all certificates, and try again from scratch. And I'd keep getting the same message over and over in the system logs. (The definition of insanity?)
Dec 3 18:48:09 openvpn 34472 Exiting due to fatal error
Dec 3 18:48:09 openvpn 34472 Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:48:09 openvpn 34472 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:48:09 openvpn 34472 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:48:09 openvpn 34472 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 3 18:48:09 openvpn 34296 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 3 18:48:09 openvpn 34296 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Dec 3 18:21:31 openvpn 48163 Exiting due to fatal error
Dec 3 18:21:31 openvpn 48163 Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:21:31 openvpn 48163 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:21:31 openvpn 48163 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:21:31 openvpn 48163 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 3 18:21:31 openvpn 48127 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 3 18:21:31 openvpn 48127 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Dec 3 18:20:14 openvpn 65340 Exiting due to fatal error
Dec 3 18:20:14 openvpn 65340 Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:20:14 openvpn 65340 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:20:14 openvpn 65340 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:20:14 openvpn 65340 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Dec 3 18:20:14 openvpn 65096 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 3 18:20:14 openvpn 65096 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Dec 3 18:19:38 openvpn 29240 Exiting due to fatal error
Dec 3 18:19:38 openvpn 29240 Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:19:38 openvpn 29240 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:19:38 openvpn 29240 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:19:38 openvpn 29240 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts -
What is in /var/etc/openvpn/server1.cert ?
-
I have similiar output when I try the wizard, and look at the openvpn log. I have an empty 0 byte /var/etc/openvpn/server1.cert
Version 2.4.4-RELEASE-p3 (arm64)
Jun 13 20:07:32 openvpn 49559 Exiting due to fatal error Jun 13 20:07:32 openvpn 49559 Cannot load certificate file /var/etc/openvpn/server1.cert Jun 13 20:07:32 openvpn 49559 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib Jun 13 20:07:32 openvpn 49559 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line Jun 13 20:07:32 openvpn 49559 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jun 13 20:07:32 openvpn 49485 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10 Jun 13 20:07:32 openvpn 49485 OpenVPN 2.4.6 aarch64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
-
@septer012 Any .cert file should be about 1.7kbytes, a text file starting with -----BEGIN CERTIFICATE-----
So this is certainly the problem.
Try recreating server certificates and see if it produces correct files.
Are you doing the whole process via the web gui? is it a self signed certificate? -
@netblues I am running the openvpn wizard. I am not sure how to generate the certificates manually on the box, but I will take a look around.
-
@septer012 I didn't mean to do it manually.
Do it via the webif, just check file sizes after every step
Looks like a bug, but need to find out if the file is ever created or it gets overwritten. -
@netblues Still haven't quite figured it out yet. The whole process I am running the webgui OpenVPN wizard. I will peruse the logs I guess to see when the keys get generated.
/var/etc/openvpn server1.ca 1.39 KiB server1.cert 0.00 KiB server1.conf 1.06 KiB server1.interface 0.01 KiB server1.key 1.64 KiB server1.sock server1.tls-auth 0.62 KiB
-
I think I got it to work. I deleted all the Certificate Authorities, and Certificates. Next I configured Services - ACME certificates - Account Key. OpenVPN was able to start up.
-
@septer012 said in OpenVPN service not working with PfSesne 2.4?!:
ACME certificates - Account Key
What his this to do with OpenVPN ?
-
You want to use self signed Certs with OpenVPN, not from any other CA!
-Rico