Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After restoring configuration OpenVPN certificates missing

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apara
      last edited by apara

      I upgraded my hardware and installed the latest 2.5.2-RELEASE.

      After restoring the configuration from the old 2.4.5-p1 installation/hardware and mapping interfaces everything is working except OpenVPN clients.

      When I try to start OpenVPN client on my new setup I get this error:

      Jul 21 14:53:39 openvpn 57939 Exiting due to fatal error
      Jul 21 14:53:39 openvpn 57939 Cannot load certificate file /var/etc/openvpn/client3/cert
      Jul 21 14:53:39 openvpn 57939 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
      Jul 21 14:53:39 openvpn 57939 Initializing OpenSSL support for engine 'devcrypto'

      I checked and the /var/etc/openvpn/client3/cert exists.

      7ff2366d-fffb-40a2-a299-1fb1e35da4c4-image.png

      So, this is possibly related to the previous message:
      OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

      Any suggestions on how to fix this?

      Thanks.

      A 1 Reply Last reply Reply Quote 0
      • A
        apara @apara
        last edited by apara

        Answering my own question...

        Adding this string to custom options allows things to work:
        tls-cipher "DEFAULT:@SECLEVEL=0"

        785d11fd-d3d2-4356-aacd-6a69ba60a842-image.png

        However, I am looking for a better way to do this.

        bingo600B 1 Reply Last reply Reply Quote 0
        • bingo600B
          bingo600 @apara
          last edited by

          @apara

          Have a look here
          https://www.infopackets.com/news/10414/how-fix-openvpn-sslctxusecertificateca-md-too-weak

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          A 1 Reply Last reply Reply Quote 0
          • A
            apara @bingo600
            last edited by

            @bingo600 thanks for the link. This looks like a better solution but I am not sure how to make this work on pfSense.

            I am using VPN vendor, so I did not create the original certificates as they were given to me by the vendor.

            Am I misunderstanding something?

            bingo600B 1 Reply Last reply Reply Quote 0
            • bingo600B
              bingo600 @apara
              last edited by

              @apara

              From the url above , it seems that your vendor needs to sign with SHA instead of MD5
              Getting new updated certificates would be the correct solution.

              But with some vendors ... "Good luck w that" šŸ‘Ž

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.