Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Faulty openvpn-client-export config files.

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 5 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elemay
      last edited by

      Hi,

      i'd exported my android user config (inline) with openvpn-client-export utility.

      I can't import those into my android.

      I get the following error:

      No endtag for starttag <tls-auth>found

      I checked the generated config and it looks as it was half exported:

      <tls-auth>#

      2048 bit OpenVPN static key

      –---BEGIN OpenVPN Static key V1-----
      3563656648eregr4545t4gf4wt54tw45e8b
      f37eee2tzer2b580fe57954af737dc36c064
      2b59471dbc95238b4c6662e3377bae8b
      7146db0fa26f3d9349b70b4f803c5a97
      8ec7ba43c2a8eaa3aa543b142d8722e0
      f058925f41e214f43fc8893248cfe280
      30b7ebcb5zer536362awa532632q5641a6
      696917f05b54a72b96689f7448a63176
      7ef4bd168d5df68a9bdc5b26a50acc89
      56e54004dec763bb613da3988330f769
      1d1adb3c45346346457z54763

      as you see it looks a it wasn't fully exported.

      If i download the zip archive i can't unzip. Faulty archive (file-roller & 7-zip for me)

      Any help?

      Thanks

      elemay</tls-auth></tls-auth>

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        and using what what version of pfsense, snapshot?  What browser, what version of the export package.

        I am on 2.1.1 snap
        2.1.1-PRERELEASE (i386)
        built on Thu Feb 13 13:59:46 EST 2014
        FreeBSD 8.3-RELEASE-p14

        using 1.2.4 of the export package with firefox 28 and working here, both the inline and zip files are fine.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • E
          elemay
          last edited by

          My version:

          2.1.1-PRERELEASE (amd64)
          built on Wed Mar 26 13:50:51 EDT 2014
          FreeBSD 8.3-RELEASE-p14

          openvpn-client-export-utility:

          1.2.4

          tried with firefox 24.4.0 and chromium  33.0.1750.152 (256984)

          and i forgot to mention thos lines as the first 2 line of my config files (stupid me):

          Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 419

Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 480

          greetings

          1 Reply Last reply Reply Quote 0
          • E
            elemay
            last edited by

            when i go to cert-manager i also got those lines in the webui:

            Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 394 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 444 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 490

            any way to fix this?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              @elemay:

              any way to fix this?

              The way to fix the warning is to stop issuing insane certificates that expire after 2050.

              https://bugs.php.net/bug.php?id=66636

              1 Reply Last reply Reply Quote 0
              • E
                elemay
                last edited by

                Hi doktornotor,

                thats nice to know.

                My cert shows:

                Valid From: 	Wed, 07 Mar 2012 17:48:38 +0100
Valid Until:

                as you can see no Valid until is shown.

                My client certs show (the one i want to export):

                Valid From: 	Mon, 31 Mar 2014 20:33:42 +0200
Valid Until: 	Thu, 28 Mar 2024 19:33:42 +0100

                Funny thing is that i could export an older cert just fine (1 year ago :P )

                Maybe with the mentioned fix for 'GENERALIZEDTIME parsing' they broke my cert export :P

                I'll try with a new cert.

                Thanks

                1 Reply Last reply Reply Quote 0
                • G
                  gspadari
                  last edited by

                  I found this topic searching for a solution to this error:

                  An error code was received while attempting Filter sync with username …  - Code 2: Invalid return payload: enable debugging to examine incoming payload

                  This error start happening after upgrading from 2.1 to >=2.1.1-2.1.4

                  The "Warning" that generates the new openssl version breaks the XML response that rc.filter_synchronize uses, and thus the referrer error appears on System Log.

                  If one can not recreate the SSL certs with expiration year before 2050, one way to workaround this is to use the php functions ob_start(); and ob_end_clean();.

                  I've modified /etc/inc/certs.inc (in every CARP server), adding this function:

                  
function openssl_x509_parse_nooutput($str_crt) {
	ob_start();
	$inf_crt = openssl_x509_parse($str_crt);
	ob_end_clean();
	return $inf_crt;
}

                  And then, modified (in the same file) every call to openssl_x509_parse to the new openssl_x509_parse_nooutput.

                  I've been using this workaround for a couple of hours and everything seems to works fine, and the Sync error now reads:

                  php: rc.filter_synchronize: Filter sync successfully completed with …

                  1 Reply Last reply Reply Quote 0
                  • S
                    Stefan100
                    last edited by

                    Hi,

                    I have the same problem.

                    I created a new certificate and recognized a mistyping in the Name.
                    Then I deleted it. After I recognized the text in the WebGui of the Certificate Authority Manager:

                    Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 394 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 444 Warning: openssl_x509_parse(): illegal ASN1 data type for timestamp in /etc/inc/certs.inc on line 490

                    Maybe it is, because the name for the Cert. that I wrongly entered, was the same that was already in use?

                    I can not export any Client or Certificates anymore, like elemay mentioned.

                    Is there any possibility to get more details where the problem is caused by?

                    Maybe some one could help me how to fix it.

                    BR and many thanks indvance.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.