I need help. After yesterday update I can't connect to the certificate vpn

Adam_S · February 26, 2016, 6:21am

Hello
I need help. Yesterday i connect my vpn certyficate to my nethserver and install latest updates. When it was installed i will disconnected. I must log on locally and my serwer works fine… - but when i try log on with vpn i see that message:

Fri Feb 26 07:03:40 2016 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Fri Feb 26 07:03:40 2016 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Fri Feb 26 07:03:40 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Feb 26 07:03:40 2016 Need hold release from management interface, waiting...
Fri Feb 26 07:03:41 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Feb 26 07:03:41 2016 MANAGEMENT: CMD 'state on'
Fri Feb 26 07:03:41 2016 MANAGEMENT: CMD 'log all on'
Fri Feb 26 07:03:41 2016 MANAGEMENT: CMD 'hold off'
Fri Feb 26 07:03:41 2016 MANAGEMENT: CMD 'hold release'
Fri Feb 26 07:03:49 2016 MANAGEMENT: CMD 'username "Auth" "xxxxxx"'
Fri Feb 26 07:03:49 2016 MANAGEMENT: CMD 'password [...]'
Fri Feb 26 07:03:49 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 26 07:03:49 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 26 07:03:49 2016 UDPv4 link local: [undef]
Fri Feb 26 07:03:49 2016 UDPv4 link remote: [AF_INET]xx.x.xx.xx:1194
Fri Feb 26 07:03:49 2016 MANAGEMENT: >STATE:1456466629,WAIT,,,
Fri Feb 26 07:03:49 2016 MANAGEMENT: >STATE:1456466629,AUTH,,,
Fri Feb 26 07:03:49 2016 TLS: Initial packet from [AF_INET]xx.x.xx.xx:1194, sid=74a8a6f8 0b535604
Fri Feb 26 07:03:49 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 26 07:03:49 2016 VERIFY ERROR: depth=0, error=self signed certificate: CN=xxxxx, O=xxx, ST=xxxxx, OU=xxxxxx, emailAddress=xxxxxxxx@xxxxx.pl, C=PL, subjectAltName=xxxxxxxx.local, L=xxxxx
Fri Feb 26 07:03:49 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Feb 26 07:03:49 2016 TLS Error: TLS object -> incoming plaintext read error
Fri Feb 26 07:03:49 2016 TLS Error: TLS handshake failed
Fri Feb 26 07:03:49 2016 SIGUSR1[soft,tls-error] received, process restarting
Fri Feb 26 07:03:49 2016 MANAGEMENT: >STATE:1456466629,RECONNECTING,tls-error,,
Fri Feb 26 07:03:49 2016 Restart pause, 2 second(s)

I re-boot serwer but still notching
Please help.

Nas · February 26, 2016, 7:03am

Hi, please redownload client certificate.

Adam_S · February 26, 2016, 7:05am

ok i will try .

Adam_S · February 26, 2016, 12:07pm

Okey i download cert and now stay on this:

Fri Feb 26 13:03:46 2016 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Fri Feb 26 13:03:46 2016 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Fri Feb 26 13:03:46 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Feb 26 13:03:46 2016 Need hold release from management interface, waiting...
Fri Feb 26 13:03:46 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Feb 26 13:03:46 2016 MANAGEMENT: CMD 'state on'
Fri Feb 26 13:03:46 2016 MANAGEMENT: CMD 'log all on'
Fri Feb 26 13:03:46 2016 MANAGEMENT: CMD 'hold off'
Fri Feb 26 13:03:46 2016 MANAGEMENT: CMD 'hold release'
Fri Feb 26 13:03:51 2016 MANAGEMENT: CMD 'username "Auth" "xxxx"'
Fri Feb 26 13:03:51 2016 MANAGEMENT: CMD 'password [...]'
Fri Feb 26 13:03:51 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 26 13:03:51 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 26 13:03:51 2016 UDPv4 link local: [undef]
Fri Feb 26 13:03:51 2016 UDPv4 link remote: [AF_INET]xx.x.xx.xx:1194
Fri Feb 26 13:03:51 2016 MANAGEMENT: >STATE:1456488231,WAIT,,,
Fri Feb 26 13:03:52 2016 MANAGEMENT: >STATE:1456488232,AUTH,,,
Fri Feb 26 13:03:52 2016 TLS: Initial packet from [AF_INET]xx.x.xx.xx:1194, sid=925db396 7e6bf1aa
Fri Feb 26 13:03:52 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 26 13:03:52 2016 VERIFY OK: depth=0, CN=xxxxx, O=xxx, ST=xxxx, OU=xxxx, emailAddress=xxxxx@mbp-radomsko.pl, C=PL, subjectAltName=xxxx.local, L=xxxx

and stay and nothing more happens.

I make new user and cert and this one works…

Nas · February 26, 2016, 12:14pm

Hi it is a known issue, search the forum more deeply.

Adam_S · February 26, 2016, 12:25pm

So I found this post, but it was written, it does not work from the beginning. It work, and after the update has stopped working. Maybe someone knows if it has something to do? It is update problem ?

Nas · February 26, 2016, 12:51pm

As workaround you can make chattr +i on openvpn certificate

Adam_S · February 26, 2016, 12:59pm

Ok i try but can u tell me why after update cert is down ?

Nas · February 26, 2016, 1:25pm

They were regenerated but user certs staid unchanged, that is why there is misconfig.

stephdl · February 26, 2016, 4:27pm

Could you look after which rpm you updated in the yum logs. It will be a start to discoverer something

Adam_S · February 27, 2016, 6:03am

sure:

Feb 25 15:52:17 Updated: clamav-db-0.99-3.el6.x86_64
Feb 25 15:52:18 Updated: clamav-0.99-3.el6.x86_64
Feb 25 15:52:19 Updated: clamd-0.99-3.el6.x86_64
Feb 25 15:52:19 Updated: nethserver-antivirus-1.1.5-1.ns6.noarch
Feb 25 15:52:20 Updated: nethserver-lsm-1.1.1-1.ns6.noarch
Feb 25 15:52:22 Updated: nethserver-firewall-base-2.10.2-1.ns6.noarch
Feb 25 15:52:23 Updated: nethserver-firewall-base-ui-2.10.2-1.ns6.noarch
Feb 25 15:52:24 Updated: nethserver-ipsec-1.1.5-1.ns6.noarch
Feb 25 15:52:25 Updated: nethserver-squidclamav-1.2.0-1.ns6.noarch
Feb 25 15:52:25 Updated: nethserver-lang-en-1.0.18-1.ns6.noarch
Feb 25 15:52:26 Updated: nethserver-dnsmasq-1.5.6-1.ns6.noarch
Feb 25 15:52:27 Updated: nethserver-collectd-1.2.1-1.ns6.noarch

thats all

stephdl · February 27, 2016, 7:25am

You updated ipsec which is a vpn, but I guess that you use openvpn, maybe the error could come here, even so I must admit that I don’t understand why.

Anyway It is a bug, either from you (sorry) or from Nethserver however, it is not ‘acceptable’ and must be found.

You should open a bug for it

EddieA · February 27, 2016, 7:42am

If you are referring to my issue: VPN Issue for users created before certificate re-generation, then I don’t think this is the same. Different errors generated.

I installed the same updates and can continue to connect correctly via OpenVPN. I don’t see any certificates in /var/lib/nethserver/certs, /etc/pki/tls/certs, or /etc/pki/tls/private being updated since I did my last change to VPN certs over a month ago.

Cheers.

Adam_S · February 27, 2016, 8:47am

Thanks for all reply.
Maybe you direct this that - i updated the nethserver while connected remotely via openvpn. During the update - near 62% connection was broken. I had to drive up to the location (about 20 minutes) and joined locally. Updated was successful, but from that moment I could only connect locally(only vpn cert was broken, proxy and other services run property) Restart not solved the problem, download a new certificate too. Only create new cert
Thats all

stephdl · February 27, 2016, 10:08am

please the next time you MUST use screen for this purpose, even with a connection lost, the terminal is not closed and thus the update process will continue.

My 2c

bradhaddin · April 13, 2016, 7:02am

I never update my VPN because I select those providers which updates their VPN automatically I have tried other VPNs which creates problem while configuring I think if this problem is still existing then you should go for australia vpn - Ivacy which makes you anonymous from getting data retention only charged 2.50/month.

alefattorini · April 14, 2016, 10:09am

Happy to see you here man, welcome!
Sorry but I can’t get you reply, we’re talking about NethServer vpn here. Why are you referring to “providers”?