After updating, OpenVPN client doesn't connect to the server

NethServer Version: NethServer release 7.3.1611 (Final)
Module: OpenVPN

After updating NS, OpenVPN client doesn’t connect to the server.

I note this error in the log file /var/log/openvpn/openvpn.log
Wed Apr 12 16:19:34 2017 xxx.xxx.xxx.xxx:50849 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed Apr 12 16:19:34 2017 xxx.xxx.xxx.xxx:50849 TLS_ERROR: BIO read tls_read_plaintext error
Wed Apr 12 16:19:34 2017 xxx.xxx.xxx.xxx:50849 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 12 16:19:34 2017 xxx.xxx.xxx.xxx:50849 TLS Error: TLS handshake failed
Wed Apr 12 16:19:34 2017 xxx.xxx.xxx.xxx:50849 SIGUSR1[soft,tls-error] received, client-instance restarting

Before the update everything was working normal.

What the update has altered?

Maybe the system tls certificate has been recreated. Check with:
openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not
If true, looking in /var/log/messages could lead the source of the problem.

this is the output of the verification:

# openssl x509 -in /etc/pki/tls/certs/NSRV.crt -text | grep Not
            Not Before: Dec 14 16:16:34 2016 GMT
            Not After : Dec 12 16:16:34 2026 GMT

What should I look for in /var/log/messages?

In OpenVPN>Account were no longer present in the configured users. I added back users, downloaded certificates and replaced on the client but keep getting error.

I do not understand what could have happened in the update phase. before it worked perfectly

The certificate has not been recreated.
Could you please upload your /var/log/messages somewhere? I don’t know what to look for.

Here the log files you asked.

Your system-date jumped, openvpn has issues when time moves forward, please restart the openvpn service (or the whole system).

I have previously rebooted both whole system, that the OpenVPN service, with no positive outcome.

in the client log i foud this error:

Wed Apr 12 20:14:30 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Wed Apr 12 20:14:30 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Apr 12 20:14:30 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Enter Management Password:
Wed Apr 12 20:14:30 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Apr 12 20:14:30 2017 Need hold release from management interface, waiting...
Wed Apr 12 20:14:30 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Apr 12 20:14:31 2017 MANAGEMENT: CMD 'state on'
Wed Apr 12 20:14:31 2017 MANAGEMENT: CMD 'log all on'
Wed Apr 12 20:14:31 2017 MANAGEMENT: CMD 'echo all on'
Wed Apr 12 20:14:31 2017 MANAGEMENT: CMD 'hold off'
Wed Apr 12 20:14:31 2017 MANAGEMENT: CMD 'hold release'
Wed Apr 12 20:14:37 2017 MANAGEMENT: CMD 'username "Auth" "pasquale.inglese"'
Wed Apr 12 20:14:37 2017 MANAGEMENT: CMD 'password [...]'
Wed Apr 12 20:14:37 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Apr 12 20:14:37 2017 MANAGEMENT: >STATE:1492020877,RESOLVE,,,,,,
Wed Apr 12 20:14:37 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]143.225.193.186:1194
Wed Apr 12 20:14:37 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Apr 12 20:14:37 2017 UDP link local: (not bound)
Wed Apr 12 20:14:37 2017 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Apr 12 20:14:37 2017 MANAGEMENT: >STATE:1492020877,WAIT,,,,,,
Wed Apr 12 20:14:37 2017 MANAGEMENT: >STATE:1492020877,AUTH,,,,,,
Wed Apr 12 20:14:37 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=59575009 700bc14b
Wed Apr 12 20:14:37 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Apr 12 20:14:37 2017 VERIFY OK: ***domain specification***
Wed Apr 12 20:15:37 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 12 20:15:37 2017 TLS Error: TLS handshake failed
Wed Apr 12 20:15:37 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Apr 12 20:15:37 2017 MANAGEMENT: >STATE:1492020937,RECONNECTING,tls-error,,,,,

the error is repeated in loop and the client’s status remains yellow and does not connect.

I think we need to look in /var/log/openvpn/openvpn.log.
Nothing relevant found in messages.

i have a roadwarrior config with little customization (443 over tcp), broken after update (update both nethserver-openvpn to 1.4.8 and openvpn to 2.4.1, and other packages…)

it seems a problem related to openvpn 2.4.1 or at least it is for my installation.
check if in /var/log/openvpn/openvpn.log you see something like
VERIFY ERROR: depth=0, error=CRL has expired: C=-- …

some more info:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849909
http://openvpn-users.narkive.com/cnKIxSVg/2-4-error-crl-has-expired

this fixed my problem, on ns7:
# /usr/bin/openssl ca -gencrl -out /var/lib/nethserver/certs/crl.pem -config /var/lib/nethserver/certs/ca.cnf

hope this help for now, but i think we should look deeper how 2.4 manage crl…

Thank you @dz00te.

Then a possible interim workaround would be yum downgrade openvpn.

Could you show the output of openssl crl -in /var/lib/nethserver/certs/crl.pem -text ?

probably yes, i didn’t test it, but i tried a rollback, it says something like “openvpn 2.3 not available” so i can’t go back (and that’s why i searched a solution )

this is the regenerated… does it means i should regenerate between 30 days, right?

Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /CN=NethServer/O=Example Org/ST=SomeState/OU=Main/emailAddress=root@partedmagic./C=–/L=Hometown
Last Update: Apr 13 08:26:23 2017 GMT
Next Update: May 13 08:26:23 2017 GMT
CRL extensions:
X509v3 CRL Number:
4
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 23 17:17:10 2016 GMT
Serial Number: 02
Revocation Date: Sep 23 17:20:37 2016 GMT
[…]

Probably yes. The hint from Steffan is

you should give your CRLs a large nextUpdate value

I’ll try to reproduce the problem, I think I have enough information.

sorry i’ can’t reproduce because if i install openvpn on a clean ns7 now, it install directly the 2.4.1…
tnx

I have checked in /var/log/openvpn/openvpn.log and there is the same error:

VERIFY ERROR: depth = 0, error = CRL has expired: C = ...

@filippo_carletti I can give you more info before i try to regenerate the certificate?

problem temporarily solved!

@dz00te thank you!

No, thanks.
Please confirm that a new CRL fixes the problem for you, too.

Yup, same error here in my servers.

i found also this link, just to better understand the orign of the problem:
https://community.openvpn.net/openvpn/changeset/160504a2955c4478cd2c0323452929e07016a336

and also this one can be useful… lot of changes in 2.4.1
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

I was a little leery of that update, for other reasons, hence this question..

And here’s my, expired, CRL:

[root@Nethserver ~]# openssl crl -in /var/lib/nethserver/certs/crl.pem -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=NethServer/O=BogoLinux/ST=CA/emailAddress=admin@BogoLinux.net/subjectAltName=*.BogoLinux.net/OU=Main/C=US/L=Los Angeles
        Last Update: Mar  3 02:31:59 2017 GMT
        Next Update: Apr  2 02:31:59 2017 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
No Revoked Certificates.
---  snip ---

Cheers.