John2 2 Posted ... Hi, Please be patient with this - I realise there are lots of posts on this. Been using OpenVPN since Feb 2022, almost daily (sometimes use Eddie client on a laptop). Not had any problems since Feb 2022. Worked fine last Sunday 7th, on Monday failed with OpenVPN Log message "VERIFY ERROR:depth=1, error=certificate has expired". Seen the posts on here so have: 1. followed the "run Eddie, uncheck 'remember me' etc." instructions. 2. using OpenVPN Utility, ran 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files' 3. New log in to your website, created new VPN Device, created new Config files using your Generator and uploaded new Config files 4. run OpenVPN 'wizard' and no change OpenVPN Log Wed Apr 10 11:59:44 2024 VERIFY ERROR: depth=1, error=certificate has expired: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Wed Apr 10 11:59:44 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed user.key and user.crt at service.vpn.manager/AirVPN are new files (i.e. re date/time). Hope someone can help Thanks 1 al the yank reacted to this Quote Share this post Link to post
Staff 9973 Posted ... 50 minutes ago, John2 said: user.key and user.crt at service.vpn.manager/AirVPN are new files (i.e. re date/time). Hello! Please check ca.crt. From the couple of log lines you sent us we may speculate that you still have an old ca.crt. It's strange because in February 2022 ca.crt was already the new one with expiration on 2121, so we might be missing something here. Is everything fine with Eddie (do not run OpenVPN at all)? Can we see the complete OpenVPN log and can you tell us your exact Operating System name and version? Kind regards Quote Share this post Link to post
John2 2 Posted ... Thanks for reply. Looks like the problem is with ca.crt (on a Raspberry Pi running OSMC VERSION_ID="2022.03-1"). At service.vpn.manager/Downloads/AirVPN/ca.crt (which has modified date/time of this morning), the files reads as follows: pi@Rpi-400:~ $ openssl x509 -in ca.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 8c:d8:43:ef:e4:5f:20:03 Signature Algorithm: sha1WithRSAEncryption Issuer: C = IT, ST = IT, L = Perugia, O = airvpn.org, CN = airvpn.org CA, emailAddress = info@airvpn.org Validity Not Before: Apr 11 10:15:45 2014 GMT Not After : Apr 8 10:15:45 2024 GMT Subject: C = IT, ST = IT, L = Perugia, O = airvpn.org, CN = airvpn.org CA, emailAddress = info@airvpn.org etc. Does that mean that you are providing an out of date cert? Can provide more data as needed - thought the problem looks obvious now?? But how to rectify?? Thanks Quote Share this post Link to post
Staff 9973 Posted ... 1 hour ago, John2 said: Does that mean that you are providing an out of date cert? Hello! No. ca.crt emitted in 2021 expires in 2121. You have installed a ca.crt downloaded before 2021: up to the renewal in 2021, ca.crt emitted in 2014 expired in 2024, as you have seen. 1 hour ago, John2 said: Can provide more data as needed - thought the problem looks obvious now?? But how to rectify?? Two options: Please generate a new configuration file in the Configuration Generator with the "Advanced" mode enabled and the "Split certs/keys from ovpn files" checked. Download the generated ca.crt certificate and replace, with it, the old one. Alternatively, switch to WireGuard. Kind regards Quote Share this post Link to post
John2 2 Posted ... Thanks for reply. This is where it gets complicated. 1. OpenVPN wants a ta.key (presumably to go with the ca.crt?) at service.vpn.manager/Downloads/AirVPN But 'Advanced' Config Generator doesn't seem to generate that file, instead it generates tls-crypt.key (not sure here??) Fixing that looks like a rabbit hole to me! 2. Switching to WireGuard looks to be a better solution long term, but (unless anyone can point to easy install on Raspberry Pi OSMC??) that also looks like a rabbit hole! While v much respecting AirVPN staff, the problem looks to be that regular Config Gen is including a now out-of-date ca.crt file - as of 8th April. That is, if I delete all VPN files (using the OpenVPN Utility), new ovpn files from regular Config Gen include the out-of-date ca.crt file. I'm sure there are sound reasons why you don't want to fix that, but for me this seems to mean AirVPN no longer works on my setup, which is a shame. All help gratefully accepted. Thanks. 1 al the yank reacted to this Quote Share this post Link to post
Staff 9973 Posted ... 2 hours ago, John2 said: 1. OpenVPN wants a ta.key (presumably to go with the ca.crt?) at service.vpn.manager/Downloads/AirVPN But 'Advanced' Config Generator doesn't seem to generate that file, instead it generates tls-crypt.key (not sure here??) Hello! Please enable "Advanced" mode in the Configuration Generator, pick a connection mode with entry-IP address 1 (one) and check "Split certs/keys from ovpn file". When you generate the configuration you will obtain a ta.key. The reason is that the obsolete TLS Auth mode and the new TLS Crypt mode are mutually incompatible. In order to keep compatibility with old OpenVPN versions we need to differentiate OpenVPN daemons working on TLS Crypt from those working on TLS Auth. In general, OpenVPN responding on VPN servers entry IP addresses 1 and 2 support TLS Auth, while OpenVPN on entry IP addresses 3 and 4 support TLS Crypt. More details on the technical specifications page https://airvpn.org/specs 2 hours ago, John2 said: 2. Switching to WireGuard looks to be a better solution long term, but (unless anyone can point to easy install on Raspberry Pi OSMC??) that also looks like a rabbit hole! OSMC is a Linux distribution based on Debian and Kodi so installing WireGuard should be a matter of seconds, if it is available in the repos. Since OSMC moved to Bullseye in 2022, you could have WireGuard ready. Try to install it and check. sudo apt install wireguard-tools sudo apt install openresolv If the installation is successful you can follow the instructions for Linux to set up WireGuard in a minute or so, let us know. 2 hours ago, John2 said: While v much respecting AirVPN staff, the problem looks to be that regular Config Gen is including a now out-of-date ca.crt fil Of course not! ca.crt was renewed in 2021 with expiration date 2121. Your ca.crt, emitted in 2014 with expiration date 2024, was downloaded before the 2021 renewal. The Configuration Generator has never served an expired certificate. Kind regards Quote Share this post Link to post
John2 2 Posted ... Thank you for comprehensive reply. I will follow your 'advanced' mode instructions and attempt wireguard install in the morning. The issue I'm still unclear with is, why is the 2014 ca.crt still a problem? Using the OpenVPN Utility, I 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files'. I then create new config files (using your Generator), then run the OPenVPN 'wizard'. Is the 2014 ca.crt not deleted and OpenVPN re-uses it. Or is it embedded in the Config Generator ovpn files? Thanks again for your time. Quote Share this post Link to post
Staff 9973 Posted ... 4 minutes ago, John2 said: The issue I'm still unclear with is, why is the 2014 ca.crt still a problem? Using the OpenVPN Utility, I 'Remove all downloaded VPN provider files' and 'Delete user key, password and cert files'. I then create new config files (using your Generator), then run the OPenVPN 'wizard'. Is the 2014 ca.crt not deleted and OpenVPN re-uses it. Or is it embedded in the Config Generator ovpn files? Hello! The Configuration Generator is (and was) able to generate either separate files or configuration files embedded with certificates and keys, according to your selection. Therefore it is possible that you have a configuration file embedded with the certificate causing the problem. However, from your previous message, it is also visible that you had an expired ca.crt in ~/Downloads/AirVPN Kind regards Quote Share this post Link to post
John2 2 Posted ... Thanks for reply. By some coincidence, on powering up Pi OSMC this morning it did a major update (395 files). Don't think I've changed any update settings. Anyway, 'sudo apt install wireguard-tools' now works - it didn't before the update due to some Debian 'stable' release issues (??). So, now got bored trying to fix OpenVPN - I followed the ta.key instructions, have all the necessary conf and key, cert files but OpenVPN now says 'cannot load private key file' - the file has correct perms and checks ok using openssl. Instead, as you say, once wireguard is available, it's a cinch. So, goodbye OpenVPN, hello WireGuard Thanks for your patient help! Quote Share this post Link to post