Cipher missing from server post Server Certificate renewal
-
Yesterday I renewed a server certificate on the PfSense post that immediately faced an issue with the firewall.
Also when I checked OpenVPN Server settings I found all the "Data Encryption Algorithms" were missing from the selection box.
-
Renewed what certicate ? The one just by OpenVPN ?
The cert ? The CA ? Both ?
Missing left ?
Right ?These ciphers are build into the software, you can't 'remove' them.
What pfSense version ?
OpenVPN talks to you : Status > System Logs > OpenVPN what dos it say ?
-
Renewed: Server certificate (which was in use by the server, not CA)
It is missing post-renewal, from the left.
pfSense Version: 23.05.1-RELEASE
-
@prashant-joshi Restart everything, stop OpenVPN, delete problematic cert, issue new server certificate, select in OpenVPN, start OpenVPN.
-
@prashant-joshi said in Cipher missing from server post Server Certificate renewal:
Renewed: Server certificate (which was in use by the server, not CA)
It is missing post-renewal, from the left.
pfSense Version: 23.05.1-RELEASE
The list of available encryption schemes is determined by you cert.
-
@prashant-joshi said in Cipher missing from server post Server Certificate renewal:
Renewed: Server certificate (which was in use by the server, not CA)
It is missing post-renewal, from the left.
pfSense Version: 23.05.1-RELEASE
The list of available encryption schemes is determined by you cert.
-
@prashant-joshi said in Cipher missing from server post Server Certificate renewal:
23.05.1-RELEASE
I've tried all sort of combinations with settings and certs to see if I could find the situation.
But we don't have the same pfSense (I'm using 23.09.1) and OpenVPN version (I'm using 2.6.8) which makes comparing difficult.
-
Did twice but no luck...
-
@prashant-joshi You deleted and recreated the server cert twice? Maybe you selected something in "Hardware Crypto"?
-
@NightlyShark I have simply renewed the cert not deleted the olderone.
-
@prashant-joshi I had stumbled upon a bug, where if the cert took a long time to generate (tried 16k RSA), the gui would behave like it had finished with the cert, but a background process remained active (creating the cert), for up to 20 minutes later...
-
@NightlyShark in my case cert shows properly renewed.
Another thing I tried to save server settings it's giving me the "One or more of the selected Data Encryption Algorithms is not valid." error
-
@prashant-joshi That means that when renewing the cert you changed ciphers and now it gets all confused. Just delete, both the cert and the server profile, and recreate. Unless there is a Gateway or a custom OpenVPN interface (for the fw rules) involved, then just try to delete the cert.
-
@prashant-joshi Also, check out the logs for OpenVPN.
-
@NightlyShark when I am trying to add new server still the left side Cipher is blank.
-
@prashant-joshi You need to select a certificate, first :)
-
@NightlyShark Even after selecting the server Cert nothing changed. Still the left side is missing and blank.
-
@prashant-joshi Friend, I am this close to asking a stranger(you) to let me AnyDesk this...
-
@prashant-joshi At this point of the head-scratching process, I would reinstall (remove and install) the OpenVPN package manually via cli.
-
@Gertjan are you really on 23.05.1 ? I would move to current supported version 23.09.1 - there has been multiple changes, big one is jump to open ssl3, and I know the openvpn version has also been updated.
23.05.1 is no longer on the supported list.
If it was me, I would upgrade to current, and if your certs are still not working... Create new..