ANSWERED OpenVPN no longer working - VERIFY ERROR:depth=1, error=certificate has expired

[John2 2]

Hi,

Please be patient with this - I realise there are lots of posts on this.

Been using OpenVPN since Feb 2022, almost daily (sometimes use Eddie client on a laptop). Not had any problems since Feb 2022. Worked fine last Sunday 7th, on Monday failed with OpenVPN Log message "VERIFY ERROR:depth=1, error=certificate has expired".

Seen the posts on here so have:

1. followed the "run Eddie, uncheck 'remember me' etc." instructions.
2. using OpenVPN Utility, ran 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files'
3. New log in to your website, created new VPN Device, created new Config files using your Generator and uploaded new Config files
4. run OpenVPN 'wizard' and no change

OpenVPN Log
Wed Apr 10 11:59:44 2024 VERIFY ERROR: depth=1, error=certificate has expired: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Wed Apr 10 11:59:44 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

user.key and user.crt at service.vpn.manager/AirVPN are new files (i.e. re date/time).

Hope someone can help
Thanks

[Staff 9972]

50 minutes ago, John2 said:

user.key and user.crt at service.vpn.manager/AirVPN are new files (i.e. re date/time).

Hello!

Please check ca.crt. From the couple of log lines you sent us we may speculate that you still have an old ca.crt. It's strange because in February 2022 ca.crt was already the new one with expiration on 2121, so we might be missing something here. Is everything fine with Eddie (do not run OpenVPN at all)? Can we see the complete OpenVPN log and can you tell us your exact Operating System name and version?

Kind regards


 

[John2 2]

Thanks for reply.

Looks like the problem is with ca.crt (on a Raspberry Pi running OSMC VERSION_ID="2022.03-1").

At service.vpn.manager/Downloads/AirVPN/ca.crt (which has modified date/time of this morning), the files reads as follows:

pi@Rpi-400:~ $ openssl x509 -in ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8c:d8:43:ef:e4:5f:20:03
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = IT, ST = IT, L = Perugia, O = airvpn.org, CN = airvpn.org CA, emailAddress = info@airvpn.org
        Validity
            Not Before: Apr 11 10:15:45 2014 GMT
            Not After : Apr  8 10:15:45 2024 GMT
        Subject: C = IT, ST = IT, L = Perugia, O = airvpn.org, CN = airvpn.org CA, emailAddress = info@airvpn.org
        etc.
        
Does that mean that you are providing an out of date cert?

Can provide more data as needed - thought the problem looks obvious now?? But how to rectify??

Thanks

[Staff 9972]

1 hour ago, John2 said:

Does that mean that you are providing an out of date cert?

Hello!

No. ca.crt emitted in 2021 expires in 2121. You have installed a ca.crt downloaded before 2021: up to the renewal in 2021, ca.crt emitted in 2014 expired in 2024, as you have seen.
 

1 hour ago, John2 said:

Can provide more data as needed - thought the problem looks obvious now?? But how to rectify??

Two options:

1. Please generate a new configuration file in the Configuration Generator with the "Advanced" mode enabled and the "Split certs/keys from ovpn files" checked. Download the generated ca.crt certificate and replace, with it, the old one.
2. Alternatively, switch to WireGuard.

Kind regards
 

[John2 2]

Thanks for reply.

This is where it gets complicated.

1. OpenVPN wants a ta.key (presumably to go with the ca.crt?) at service.vpn.manager/Downloads/AirVPN
But 'Advanced' Config Generator doesn't seem to generate that file, instead it generates tls-crypt.key (not sure here??)

Fixing that looks like a rabbit hole to me!

2. Switching to WireGuard looks to be a better solution long term, but (unless anyone can point to easy install on Raspberry Pi OSMC??) that also looks like a rabbit hole!

While v much respecting AirVPN staff, the problem looks to be that regular Config Gen is including a now out-of-date ca.crt file - as of 8th April. That is, if I delete all VPN files (using  the OpenVPN Utility), new ovpn files from regular Config Gen include the out-of-date ca.crt file. I'm sure there are sound reasons why you don't want to fix that, but for me this seems to mean AirVPN no longer works on my setup, which is a shame.

All help gratefully accepted.

Thanks.

[Staff 9972]

2 hours ago, John2 said:

1. OpenVPN wants a ta.key (presumably to go with the ca.crt?) at service.vpn.manager/Downloads/AirVPN
But 'Advanced' Config Generator doesn't seem to generate that file, instead it generates tls-crypt.key (not sure here??)

Hello!

Please enable "Advanced" mode in the Configuration Generator, pick a connection mode with entry-IP address 1 (one) and check "Split certs/keys from ovpn file". When you generate the configuration you will obtain a ta.key.
 

The reason is that the obsolete TLS Auth mode and the new TLS Crypt mode are mutually incompatible. In order to keep compatibility with old OpenVPN versions we need to differentiate OpenVPN daemons working on TLS Crypt from those working on TLS Auth. In general, OpenVPN responding on VPN servers entry IP addresses 1 and 2 support TLS Auth, while OpenVPN on entry IP addresses 3 and 4 support TLS Crypt.

More details on the technical specifications page https://airvpn.org/specs

 

2 hours ago, John2 said:

2. Switching to WireGuard looks to be a better solution long term, but (unless anyone can point to easy install on Raspberry Pi OSMC??) that also looks like a rabbit hole!

OSMC is a Linux distribution based on Debian and Kodi so installing WireGuard should be a matter of seconds, if it is available in the repos. Since OSMC moved to Bullseye in 2022, you could have WireGuard ready. Try to install it and check.

sudo apt install wireguard-tools
sudo apt install openresolv

If the installation is successful you can follow the instructions for Linux to set up WireGuard in a minute or so,  let us know.

 

2 hours ago, John2 said:

While v much respecting AirVPN staff, the problem looks to be that regular Config Gen is including a now out-of-date ca.crt fil

Of course not! ca.crt was renewed in 2021 with expiration date 2121. Your ca.crt, emitted in 2014 with expiration date 2024, was downloaded before the 2021 renewal. The Configuration Generator has never served an expired certificate.

Kind regards
 

[John2 2]

Thank you for comprehensive reply.

I will follow your 'advanced' mode instructions and attempt wireguard install in the morning.

The issue I'm still unclear with is, why is the 2014 ca.crt still a problem? Using  the OpenVPN Utility, I 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files'. I then create new config files (using your Generator), then run the OPenVPN 'wizard'. Is the 2014 ca.crt not deleted and OpenVPN re-uses it. Or is it embedded in the Config Generator ovpn files?

Thanks again for your time.

[Staff 9972]

4 minutes ago, John2 said:

The issue I'm still unclear with is, why is the 2014 ca.crt still a problem? Using  the OpenVPN Utility, I 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files'. I then create new config files (using your Generator), then run the OPenVPN 'wizard'. Is the 2014 ca.crt not deleted and OpenVPN re-uses it. Or is it embedded in the Config Generator ovpn files?

Hello!

The Configuration Generator is (and was) able to generate either separate files or configuration files embedded with certificates and keys, according to your selection. Therefore it is possible that you have a configuration file embedded with the certificate causing the problem. However, from your previous message, it is also visible that you had an expired ca.crt in ~/Downloads/AirVPN

Kind regards
 

[John2 2]

Thanks for reply.

By some coincidence, on powering up Pi OSMC this morning it did a major update (395 files). Don't think I've changed any update settings. Anyway, 'sudo apt install wireguard-tools' now works - it didn't before the update due to some Debian 'stable' release issues (??).

So, now got bored trying to fix OpenVPN - I followed the ta.key instructions, have all the necessary conf and key, cert files but OpenVPN now says 'cannot load private key file' - the file has correct perms and checks ok using openssl.

Instead, as you say, once wireguard is available, it's a cinch. So, goodbye OpenVPN, hello WireGuard

Thanks for your patient help!