4. Replacing Expired OpenVPN Certificates

Replacing Expired OpenVPN Certificates

  • G

    I hope one of the VPN gurus here can give me a few hints as to what I may be doing wrong, I had my OpenVPN server working, but I recently upgraded the phone to Oreo 8.1 AND my OpenVPN certificates just expired. I thought it would be easy to just create new certs, but for some reason I am getting validation errors and the VPN won't connect. pfSense has had a couple of updates in the year since I originally created the certificates.

    In an attempt to get this thing working, I have recreated everything - Server certificate, User certificate, TLS Key, and I increased the strength of my password (since my initial setup was only intended for testing and the password was way too weak). I used the export tool, to put the info on a USB key and then imported it on my phone. The import seemed to work OK.
    (I Didn't destroy/recreate the servers-I just changed the .)

    Can someone give me a hint as to what part of the process these messages refer to?
    (Only the XXXXXXXXXs and --.-- have been redacted - all other values are the actual contents.)

    Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY SCRIPT OK: depth=2, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_ROOT, OU=PRIVATE
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY OK: depth=2, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_ROOT, OU=PRIVATE
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY SCRIPT OK: depth=1, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_INTERMEDIATE_MAY2017, OU=PRIVATE
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY OK: depth=1, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_INTERMEDIATE_MAY2017, OU=PRIVATE
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY KU OK
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 Validating certificate extended key usage
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY EKU ERROR
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS_ERROR: BIO read tls_read_plaintext error
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS Error: TLS object -> incoming plaintext read error
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS Error: TLS handshake failed
Jun  6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 SIGUSR1[soft,tls-error] received, client-instance restarting

    The android log doesn't show too much other than a printout of the certificate autority, and the server certificate - both say - Verify OK, but at the bottom of the Server Certificate it says Authentication, ??? - Then EVENT_CONNECTION_TIMEOUT.

    Additional questions:
    Is the Auth digest algorithm on the Server tab under cryptographic settings exported properly?
    I changed it to SHA512? I just noticed this 'Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ' Since the handful of clients that I might set up will all be exported by the export tool, I was assuming that all clients would be set to match - Did I assume wrong?

    Am I correct that the password hasn't yet been evaluated?
    Am I correct that the password is checked in pfSense (i.e. it isn't certificate encryption?)
    Is it OK to have a SPACE in the password?

    EDIT

    I just noticed that when I click the info bubble for the old user cert I see:
    EKU: TLS Web Client Authentication

    I just noticed that when I click the info bubble for the new user cert I see:
    KU: Digital Signature, Non Repudiation, Key Encipherment
    EKU: TLS Web Client Authentication

    Is this a change in the way pfSense generates keys or did I do something wrong?
    Could this be the problem?

    Also is there any way I can conveniently list the contents of a previously generated certificate from the command line for reference?

    EDIT
    I found this post:
    https://forum.netgate.com/topic/114387/key-usage-checks-fail-on-user-client-certificate

    and this set of custom options seems to be working:

    persist-key
persist-tun
reneg-sec 0
remote-cert-ku e0
remote-cert-eku "TLS Web Client Authentication"

    It appears that something changed in the last year as to how pfSense generates keys because I didn't need these options a year ago.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy