Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Replacing Expired OpenVPN Certificates

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by guardian

      I hope one of the VPN gurus here can give me a few hints as to what I may be doing wrong, I had my OpenVPN server working, but I recently upgraded the phone to Oreo 8.1 AND my OpenVPN certificates just expired. I thought it would be easy to just create new certs, but for some reason I am getting validation errors and the VPN won't connect. pfSense has had a couple of updates in the year since I originally created the certificates.

      In an attempt to get this thing working, I have recreated everything - Server certificate, User certificate, TLS Key, and I increased the strength of my password (since my initial setup was only intended for testing and the password was way too weak). I used the export tool, to put the info on a USB key and then imported it on my phone. The import seemed to work OK.
      (I Didn't destroy/recreate the servers-I just changed the .)

      Can someone give me a hint as to what part of the process these messages refer to?
      (Only the XXXXXXXXXs and --.-- have been redacted - all other values are the actual contents.)

      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY SCRIPT OK: depth=2, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_ROOT, OU=PRIVATE
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY OK: depth=2, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_ROOT, OU=PRIVATE
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY SCRIPT OK: depth=1, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_INTERMEDIATE_MAY2017, OU=PRIVATE
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY OK: depth=1, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_INTERMEDIATE_MAY2017, OU=PRIVATE
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY KU OK
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 Validating certificate extended key usage
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY EKU ERROR
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS_ERROR: BIO read tls_read_plaintext error
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS Error: TLS object -> incoming plaintext read error
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS Error: TLS handshake failed
      Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 SIGUSR1[soft,tls-error] received, client-instance restarting
      

      The android log doesn't show too much other than a printout of the certificate autority, and the server certificate - both say - Verify OK, but at the bottom of the Server Certificate it says Authentication, ??? - Then EVENT_CONNECTION_TIMEOUT.

      Additional questions:
      Is the Auth digest algorithm on the Server tab under cryptographic settings exported properly?
      I changed it to SHA512? I just noticed this 'Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ' Since the handful of clients that I might set up will all be exported by the export tool, I was assuming that all clients would be set to match - Did I assume wrong?

      Am I correct that the password hasn't yet been evaluated?
      Am I correct that the password is checked in pfSense (i.e. it isn't certificate encryption?)
      Is it OK to have a SPACE in the password?

      EDIT

      I just noticed that when I click the info bubble for the old user cert I see:
      EKU: TLS Web Client Authentication

      I just noticed that when I click the info bubble for the new user cert I see:
      KU: Digital Signature, Non Repudiation, Key Encipherment
      EKU: TLS Web Client Authentication

      Is this a change in the way pfSense generates keys or did I do something wrong?
      Could this be the problem?

      Also is there any way I can conveniently list the contents of a previously generated certificate from the command line for reference?

      EDIT
      I found this post:
      https://forum.netgate.com/topic/114387/key-usage-checks-fail-on-user-client-certificate

      and this set of custom options seems to be working:

      persist-key
      persist-tun
      reneg-sec 0
      remote-cert-ku e0
      remote-cert-eku "TLS Web Client Authentication" 
      

      It appears that something changed in the last year as to how pfSense generates keys because I didn't need these options a year ago.

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.