Hello,
after some time of valid OpenVPN configuration on Mikrotik CCR1009-8G-1S, v6.37.1 I can't connect.
OpenVPN reports expired certificate:
Thu Dec 22 13:16:44 2016 us=973237 VERIFY OK: depth=0, C=SK, ST=SK, L=<L>, O=<Org>, CN=<IP>
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Thu Dec 22 13:16:45 2016 us=67242 TLS_ERROR: BIO read tls_read_plaintext error
Thu Dec 22 13:16:45 2016 us=67242 TLS Error: TLS object -> incoming plaintext read error
Thu Dec 22 13:16:45 2016 us=67242 TLS Error: TLS handshake failed
Thu Dec 22 13:16:45 2016 us=68242 Fatal TLS error (check_tls_errors_co), restarting
Thu Dec 22 13:16:45 2016 us=68242 TCP/UDP: Closing socket
CA and server certificates are valid. Tried to set the same certificate for HTTPS and it was valid.
Any suggestions?
Thanks.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
I know is basic, but have You checked the device date? Unlike PCs, these routers doesn't keep time between reboots - they get it through NTP each time.Hello,
after some time of valid OpenVPN configuration on Mikrotik CCR1009-8G-1S, v6.37.1 I can't connect.
OpenVPN reports expired certificate:
...
CA and server certificates are valid. Tried to set the same certificate for HTTPS and it was valid.
Any suggestions?
Thanks.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Thank you for reminder, however it was first thing I checked. It was approx. 4 mins ahead, but after correcting nothing changed.
I switched off client certificate authentication and voila, connection was established. So now I'm completely confused whats wrong.
I thought that server certificate was (by my opinion incorrectly) reported as expired.
But when no client certificate is taken into authentication, what was expired. Client certificate valid.
Of course, I want to use client certificate authentication.
I switched off client certificate authentication and voila, connection was established. So now I'm completely confused whats wrong.
I thought that server certificate was (by my opinion incorrectly) reported as expired.
But when no client certificate is taken into authentication, what was expired. Client certificate valid.
Of course, I want to use client certificate authentication.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
10 years is a long time
Maybe time to update cert?
I know server cert could expire?
You can check expiration with this:
$ echo | openssl s_client -connect urlhere
Maybe time to update cert?
I know server cert could expire?
You can check expiration with this:
$ echo | openssl s_client -connect urlhere
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Is the client certificate signed by the same CA that issued the server certificate?
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Almost 10 years server cert and ca cert WILL be valid.10 years is a long time
Maybe time to update cert?
I know server cert could expire?
You can check expiration with this:
$ echo | openssl s_client -connect urlhere
You can't connect to OpenVPN server with openssl to get cert., since it is TLS wrapped inside OpenVPN protocol.
Or, openssl s_client -connect server:port gets SSL23_GET_SERVER_HELLO:unknown protocol
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Yes, it is signed with the same CA. It was working several days ago, now it stopped.Is the client certificate signed by the same CA that issued the server certificate?
But I double checked all certs and they are valid and signed with that CA.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Weird. I thought it was a wrong error message, but... Ok.Yes, it is signed with the same CA. It was working several days ago, now it stopped.
But I double checked all certs and they are valid and signed with that CA.
1) The server is a CCR. What is the client?
2) What changed when it stopped working? New RouterOS version? New client version? Some configuration change? Windows update? There must be something.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
1) Client is OpenVPN Windows client.Weird. I thought it was a wrong error message, but... Ok.Yes, it is signed with the same CA. It was working several days ago, now it stopped.
But I double checked all certs and they are valid and signed with that CA.
1) The server is a CCR. What is the client?
2) What changed when it stopped working? New RouterOS version? New client version? Some configuration change? Windows update? There must be something.
2) We use similar Mikrotik router with the same configuration for our company and I can connect with the same client. It stopped working for all clients which are connecting there. There was Mikrotik v6.37.1 firmware, I updated it to the most recent, but it didn't helped.
I'm confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn't allow it.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
I am using the same config: OpenVpn Mikrotik server (1100AHx2) with windows, Linux and routeros clients. The server is using the 6.37.1 version, and it verifies the client cert too.
Could it be something with Windows? Some update? If the certificates are really valid, signed AND the time on the server is ok... I don't know what could it be.
Could it be something with Windows? Some update? If the certificates are really valid, signed AND the time on the server is ok... I don't know what could it be.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Just got an idea: the server certificate is valid. But how about the CA certificate? Maybe your server cert is ok, but the CA cert isn't. When You ask to validate the client certificate the system finds out that the CA is no longer valid and complains.I'm confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn't allow it.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
I switch off client certificate authentication and it started worked again, as I wrote here. So if CA cert wasn't valid (it is also the part of client config), I think I couldn't connect anyway.Just got an idea: the server certificate is valid. But how about the CA certificate? Maybe your server cert is ok, but the CA cert isn't. When You ask to validate the client certificate the system finds out that the CA is no longer valid and complains.I'm confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn't allow it.
CA is also OK, I tried to add it as a root CA to my client and opened server and client cert, which both were valid in my client environment without any untrusted issues (date, chain).
I connect to other OpenVPN servers (one is Mikrotik aswell) and even client cert authentication works without any problems. Problem is only with one described Mikrotik.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
I printed all certificates with "certificate print". Only removed fingerprint and changed IP address and company name with <...text...>.Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Code: Select all
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
0 K L A T CA <company name>
1 K I SERVER <public IP address>
2 CLIENT-tpl vpnuser
3 K I vpnuser01 vpnuser01
4 K I vpnuser02 vpnuser02
5 K I vpnuser03 vpnuser03
6 K I vpnuser04 vpnuser04
7 K I vpnuser05 vpnuser05
8 K I vpnuser06 vpnuser06
9 K I vpnuser07 vpnuser07
10 K I vpnuser08 vpnuser08
11 K I vpnuser09 vpnuser09
12 K I vpnuser10 vpnuser10
13 K I vpnuser11 vpnuser11
14 K I vpnuser12 vpnuser12
15 K I vpnuser13 vpnuser13
16 K I vpnuser14 vpnuser14
17 K I vpnuser15 vpnuser15
18 K I vpnuser16 vpnuser16
19 K I vpnuser17 vpnuser17
20 K I vpnuser18 vpnuser18
21 K I vpnuser19 vpnuser19
22 K I vpnuser20 vpnuser20Re: OpenVPN client reports expired certificate even it is valid almost 10 years
No.
Comand certificate crl print
!!...
Comand certificate crl print
!!...
I printed all certificates with "certificate print". Only removed fingerprint and changed IP address and company name with <...text...>.Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Code: Select allFlags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME 0 K L A T CA <company name> 1 K I SERVER <public IP address> 2 CLIENT-tpl vpnuser 3 K I vpnuser01 vpnuser01 4 K I vpnuser02 vpnuser02 5 K I vpnuser03 vpnuser03 6 K I vpnuser04 vpnuser04 7 K I vpnuser05 vpnuser05 8 K I vpnuser06 vpnuser06 9 K I vpnuser07 vpnuser07 10 K I vpnuser08 vpnuser08 11 K I vpnuser09 vpnuser09 12 K I vpnuser10 vpnuser10 13 K I vpnuser11 vpnuser11 14 K I vpnuser12 vpnuser12 15 K I vpnuser13 vpnuser13 16 K I vpnuser14 vpnuser14 17 K I vpnuser15 vpnuser15 18 K I vpnuser16 vpnuser16 19 K I vpnuser17 vpnuser17 20 K I vpnuser18 vpnuser18 21 K I vpnuser19 vpnuser19 22 K I vpnuser20 vpnuser20
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
No certificates are printed:No.
Comand certificate crl print
!!...I printed all certificates with "certificate print". Only removed fingerprint and changed IP address and company name with <...text...>.Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Code: Select allFlags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME 0 K L A T CA <company name> 1 K I SERVER <public IP address> 2 CLIENT-tpl vpnuser 3 K I vpnuser01 vpnuser01 4 K I vpnuser02 vpnuser02 5 K I vpnuser03 vpnuser03 6 K I vpnuser04 vpnuser04 7 K I vpnuser05 vpnuser05 8 K I vpnuser06 vpnuser06 9 K I vpnuser07 vpnuser07 10 K I vpnuser08 vpnuser08 11 K I vpnuser09 vpnuser09 12 K I vpnuser10 vpnuser10 13 K I vpnuser11 vpnuser11 14 K I vpnuser12 vpnuser12 15 K I vpnuser13 vpnuser13 16 K I vpnuser14 vpnuser14 17 K I vpnuser15 vpnuser15 18 K I vpnuser16 vpnuser16 19 K I vpnuser17 vpnuser17 20 K I vpnuser18 vpnuser18 21 K I vpnuser19 vpnuser19 22 K I vpnuser20 vpnuser20
Code: Select all
# CERT LAST-UPDATE NUM REVOKED URLRe: OpenVPN client reports expired certificate even it is valid almost 10 years
OK.No certificates are printed:Code: Select all# CERT LAST-UPDATE NUM REVOKED URL
All right. Check CRL distribution point of root certificates and server and users.
And read this:
https://en.wikipedia.org/wiki/Certifica ... ation_list
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
@ipavlik
Hello,
I have the same problem. I upgraded version from 6.38.1 to 6.38.3 and now I can't connect via OpenVPN (also from Windows client and from Asus router client):
CA is valid, server's certificate and client's are also valid (there are 10 years valid). When I am turning off client certificate validation, everything work.
I've downgrade to 6.38.1 but not help. The same problem. Maybe someone help me?
Hello,
I have the same problem. I upgraded version from 6.38.1 to 6.38.3 and now I can't connect via OpenVPN (also from Windows client and from Asus router client):
Code: Select all
Thu Mar 02 23:35:20 2017 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
Thu Mar 02 23:35:20 2017 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Thu Mar 02 23:35:20 2017 TLS_ERROR: BIO read tls_read_plaintext error
Thu Mar 02 23:35:20 2017 TLS Error: TLS object -> incoming plaintext read error
Thu Mar 02 23:35:20 2017 TLS Error: TLS handshake failed
Thu Mar 02 23:35:20 2017 Fatal TLS error (check_tls_errors_co), restarting
Thu Mar 02 23:35:20 2017 TCP/UDP: Closing socket
Thu Mar 02 23:35:20 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 02 23:35:20 2017 MANAGEMENT: >STATE:1488494120,RECONNECTING,tls-error,,
Thu Mar 02 23:35:20 2017 Restart pause, 5 second(s)I've downgrade to 6.38.1 but not help. The same problem. Maybe someone help me?
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
I've tried generate new 10 years certificates (CA, server and client) from Mikrotik 6.38.5 but without success (the same problem during connection). Anybody has the same issues?
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Currently I don't have solution and I'm using authentication without client certificates.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
I've get answer from Support Team:
Now everything is OK.Hello,
You have generated certificates with wrong CRL address.
ca-crl-host="127.0.0.1"
Of coures client will not be able to validate certificate because it cannot get CRL from 127.0.0.1
Best regards,
Maris
--
MikroTik.com
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
It's not my case, I'm using public IP address as the certificate subject.
I've get answer from Support Team:
Now everything is OK.Hello,
You have generated certificates with wrong CRL address.
ca-crl-host="127.0.0.1"
Of coures client will not be able to validate certificate because it cannot get CRL from 127.0.0.1
Best regards,
Maris
--
MikroTik.com
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
The same issue occurred on different router after upgrading from 6.38.5 to 6.39.
But I don't think upgrade affected this issue.
After disabling client cert. authentication on router, I can connect.
Really strange, because handshake fails with server cert only when client cert. authentication is enabled.
Upgrading client to 2.4.1 didn't help.
But I don't think upgrade affected this issue.
After disabling client cert. authentication on router, I can connect.
Really strange, because handshake fails with server cert only when client cert. authentication is enabled.
Upgrading client to 2.4.1 didn't help.
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
So I revoked client certificate on the router and it was reported as revoked instead of expired.
So error handshake error was reported with client cert, not server (log is quite confusing I think).
However, revoked client certificate was valid until the end of may, don't understand why it was reported as expired.
On first router, there are client certificates valid almost 10 years to the future and they are reported as expired.
Generated new client certificate for next 10 years, works well (but maybe to next month
).
So error handshake error was reported with client cert, not server (log is quite confusing I think).
However, revoked client certificate was valid until the end of may, don't understand why it was reported as expired.
On first router, there are client certificates valid almost 10 years to the future and they are reported as expired.
Generated new client certificate for next 10 years, works well (but maybe to next month
).-
-
harambasha
just joined
- Posts: 1
- Joined:
Re: OpenVPN client reports expired certificate even it is valid almost 10 years
Same problem here. It occurred after power failure. Suddenly no one could connect on OpenVPN server after power come back. But when I disable client certificate authentication i started to work.
So, is there solution? How to revoke all certificates and start again? Or is there something better, that i missed
So, is there solution? How to revoke all certificates and start again? Or is there something better, that i missed
Who is online
Users browsing this forum: No registered users and 31 guests