• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cipher missing from server post Server Certificate renewal

Scheduled Pinned Locked Moved OpenVPN
28 Posts 4 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    prashant.joshi
    last edited by Mar 18, 2024, 7:20 AM

    Yesterday I renewed a server certificate on the PfSense post that immediately faced an issue with the firewall.

    alt text

    Also when I checked OpenVPN Server settings I found all the "Data Encryption Algorithms" were missing from the selection box.

    G 1 Reply Last reply Mar 18, 2024, 7:39 AM Reply Quote 0
    • G
      Gertjan @prashant.joshi
      last edited by Mar 18, 2024, 7:39 AM

      @prashant-joshi

      Renewed what certicate ? The one just by OpenVPN ?
      The cert ? The CA ? Both ?

      c01a1f38-0f79-4f9b-a589-dd45cb233038-image.png

      Missing left ?
      Right ?

      These ciphers are build into the software, you can't 'remove' them.

      What pfSense version ?

      OpenVPN talks to you : Status > System Logs > OpenVPN what dos it say ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      P J 2 Replies Last reply Mar 18, 2024, 8:06 AM Reply Quote 0
      • P
        prashant.joshi @Gertjan
        last edited by Mar 18, 2024, 8:06 AM

        @Gertjan

        Renewed: Server certificate (which was in use by the server, not CA)

        alt text

        It is missing post-renewal, from the left.
        alt text

        pfSense Version: 23.05.1-RELEASE

        N G 4 Replies Last reply Mar 18, 2024, 8:26 AM Reply Quote 0
        • N
          NightlyShark @prashant.joshi
          last edited by Mar 18, 2024, 8:26 AM

          @prashant-joshi Restart everything, stop OpenVPN, delete problematic cert, issue new server certificate, select in OpenVPN, start OpenVPN.

          P 1 Reply Last reply Mar 18, 2024, 9:10 AM Reply Quote 0
          • N
            NightlyShark @prashant.joshi
            last edited by Mar 18, 2024, 8:30 AM

            @prashant-joshi said in Cipher missing from server post Server Certificate renewal:

            @Gertjan

            Renewed: Server certificate (which was in use by the server, not CA)

            alt text

            It is missing post-renewal, from the left.
            alt text

            pfSense Version: 23.05.1-RELEASE

            efe7b00d-ae87-4e49-82da-859d4ca5b4b4-image.png

            The list of available encryption schemes is determined by you cert.

            1 Reply Last reply Reply Quote 0
            • N
              NightlyShark @prashant.joshi
              last edited by Mar 18, 2024, 8:30 AM

              @prashant-joshi said in Cipher missing from server post Server Certificate renewal:

              @Gertjan

              Renewed: Server certificate (which was in use by the server, not CA)

              alt text

              It is missing post-renewal, from the left.
              alt text

              pfSense Version: 23.05.1-RELEASE

              efe7b00d-ae87-4e49-82da-859d4ca5b4b4-image.png

              The list of available encryption schemes is determined by you cert.

              1 Reply Last reply Reply Quote 0
              • G
                Gertjan @prashant.joshi
                last edited by Mar 18, 2024, 9:04 AM

                @prashant-joshi said in Cipher missing from server post Server Certificate renewal:

                23.05.1-RELEASE

                I've tried all sort of combinations with settings and certs to see if I could find the situation.

                But we don't have the same pfSense (I'm using 23.09.1) and OpenVPN version (I'm using 2.6.8) which makes comparing difficult.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • P
                  prashant.joshi @NightlyShark
                  last edited by Mar 18, 2024, 9:10 AM

                  @NightlyShark

                  Did twice but no luck...

                  N 1 Reply Last reply Mar 18, 2024, 9:12 AM Reply Quote 0
                  • N
                    NightlyShark @prashant.joshi
                    last edited by Mar 18, 2024, 9:12 AM

                    @prashant-joshi You deleted and recreated the server cert twice? Maybe you selected something in "Hardware Crypto"?

                    P 1 Reply Last reply Mar 18, 2024, 9:21 AM Reply Quote 0
                    • P
                      prashant.joshi @NightlyShark
                      last edited by Mar 18, 2024, 9:21 AM

                      @NightlyShark I have simply renewed the cert not deleted the olderone.

                      N 1 Reply Last reply Mar 18, 2024, 9:25 AM Reply Quote 0
                      • N
                        NightlyShark @prashant.joshi
                        last edited by Mar 18, 2024, 9:25 AM

                        @prashant-joshi I had stumbled upon a bug, where if the cert took a long time to generate (tried 16k RSA), the gui would behave like it had finished with the cert, but a background process remained active (creating the cert), for up to 20 minutes later...

                        P 1 Reply Last reply Mar 18, 2024, 9:30 AM Reply Quote 0
                        • P
                          prashant.joshi @NightlyShark
                          last edited by Mar 18, 2024, 9:30 AM

                          @NightlyShark in my case cert shows properly renewed.

                          Another thing I tried to save server settings it's giving me the "One or more of the selected Data Encryption Algorithms is not valid." error

                          N 2 Replies Last reply Mar 18, 2024, 9:35 AM Reply Quote 0
                          • N
                            NightlyShark @prashant.joshi
                            last edited by NightlyShark Mar 18, 2024, 9:40 AM Mar 18, 2024, 9:35 AM

                            @prashant-joshi That means that when renewing the cert you changed ciphers and now it gets all confused. Just delete, both the cert and the server profile, and recreate. Unless there is a Gateway or a custom OpenVPN interface (for the fw rules) involved, then just try to delete the cert.

                            P 1 Reply Last reply Mar 18, 2024, 10:05 AM Reply Quote 0
                            • N
                              NightlyShark @prashant.joshi
                              last edited by Mar 18, 2024, 9:41 AM

                              @prashant-joshi Also, check out the logs for OpenVPN.

                              1 Reply Last reply Reply Quote 0
                              • P
                                prashant.joshi @NightlyShark
                                last edited by Mar 18, 2024, 10:05 AM

                                @NightlyShark when I am trying to add new server still the left side Cipher is blank.

                                alt text

                                N 1 Reply Last reply Mar 18, 2024, 10:06 AM Reply Quote 0
                                • N
                                  NightlyShark @prashant.joshi
                                  last edited by Mar 18, 2024, 10:06 AM

                                  @prashant-joshi You need to select a certificate, first :)

                                  P 1 Reply Last reply Mar 18, 2024, 10:10 AM Reply Quote 0
                                  • P
                                    prashant.joshi @NightlyShark
                                    last edited by Mar 18, 2024, 10:10 AM

                                    @NightlyShark Even after selecting the server Cert nothing changed. Still the left side is missing and blank.

                                    N 2 Replies Last reply Mar 18, 2024, 10:16 AM Reply Quote 0
                                    • N
                                      NightlyShark @prashant.joshi
                                      last edited by NightlyShark Mar 18, 2024, 10:16 AM Mar 18, 2024, 10:16 AM

                                      @prashant-joshi Friend, I am this close to asking a stranger(you) to let me AnyDesk this...

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        NightlyShark @prashant.joshi
                                        last edited by Mar 18, 2024, 10:17 AM

                                        @prashant-joshi At this point of the head-scratching process, I would reinstall (remove and install) the OpenVPN package manually via cli.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          johnpoz LAYER 8 Global Moderator @Gertjan
                                          last edited by Mar 18, 2024, 11:10 AM

                                          @Gertjan are you really on 23.05.1 ? I would move to current supported version 23.09.1 - there has been multiple changes, big one is jump to open ssl3, and I know the openvpn version has also been updated.

                                          23.05.1 is no longer on the supported list.

                                          If it was me, I would upgrade to current, and if your certs are still not working... Create new..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          N G 2 Replies Last reply Mar 18, 2024, 1:20 PM Reply Quote 1
                                          1 out of 28
                                          • First post
                                            1/28
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received