• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

After restoring configuration OpenVPN certificates missing

Scheduled Pinned Locked Moved OpenVPN
5 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    apara
    last edited by apara Jul 21, 2021, 11:00 PM Jul 21, 2021, 10:26 PM

    I upgraded my hardware and installed the latest 2.5.2-RELEASE.

    After restoring the configuration from the old 2.4.5-p1 installation/hardware and mapping interfaces everything is working except OpenVPN clients.

    When I try to start OpenVPN client on my new setup I get this error:

    Jul 21 14:53:39 openvpn 57939 Exiting due to fatal error
    Jul 21 14:53:39 openvpn 57939 Cannot load certificate file /var/etc/openvpn/client3/cert
    Jul 21 14:53:39 openvpn 57939 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
    Jul 21 14:53:39 openvpn 57939 Initializing OpenSSL support for engine 'devcrypto'

    I checked and the /var/etc/openvpn/client3/cert exists.

    7ff2366d-fffb-40a2-a299-1fb1e35da4c4-image.png

    So, this is possibly related to the previous message:
    OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

    Any suggestions on how to fix this?

    Thanks.

    A 1 Reply Last reply Jul 22, 2021, 3:10 AM Reply Quote 0
    • A
      apara @apara
      last edited by apara Jul 22, 2021, 3:11 AM Jul 22, 2021, 3:10 AM

      Answering my own question...

      Adding this string to custom options allows things to work:
      tls-cipher "DEFAULT:@SECLEVEL=0"

      785d11fd-d3d2-4356-aacd-6a69ba60a842-image.png

      However, I am looking for a better way to do this.

      B 1 Reply Last reply Jul 22, 2021, 5:27 AM Reply Quote 0
      • B
        bingo600 @apara
        last edited by Jul 22, 2021, 5:27 AM

        @apara

        Have a look here
        https://www.infopackets.com/news/10414/how-fix-openvpn-sslctxusecertificateca-md-too-weak

        /Bingo

        If you find my answer useful - Please give the post a 👍 - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

        A 1 Reply Last reply Jul 22, 2021, 5:34 AM Reply Quote 0
        • A
          apara @bingo600
          last edited by Jul 22, 2021, 5:34 AM

          @bingo600 thanks for the link. This looks like a better solution but I am not sure how to make this work on pfSense.

          I am using VPN vendor, so I did not create the original certificates as they were given to me by the vendor.

          Am I misunderstanding something?

          B 1 Reply Last reply Jul 22, 2021, 7:43 AM Reply Quote 0
          • B
            bingo600 @apara
            last edited by Jul 22, 2021, 7:43 AM

            @apara

            From the url above , it seems that your vendor needs to sign with SHA instead of MD5
            Getting new updated certificates would be the correct solution.

            But with some vendors ... "Good luck w that" 👎

            /Bingo

            If you find my answer useful - Please give the post a 👍 - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received