Ask Your Question
3

Fedora 23 - unable to verify OpenVPN certificate after update

asked 2015-12-18 04:10:56 -0500

shimon001 gravatar image

updated 2015-12-20 22:52:03 -0500

mether gravatar image

Hi all, after latest update of my Fedora 23 I have encountered a problem using my OpenVPN connection. (worked just fine 2 days ago).

When I check the NetworkManager log (journalctl -u NetworkManager.service -e), I can see this error log:

Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: library versions: OpenSSL 1.0.2e-fips 3 Dec 2015, LZO 2.08
Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more
 info.
Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: Control Channel Authentication: using '/some_path/tls-auth.txt' as a OpenVPN static ke
y file
Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: UDPv4 link local: [undef]
Dec 18 11:00:01 localhost.localdomain nm-openvpn[7114]: UDPv4 link remote: [AF_INET]SOME_IP:2004
Dec 18 11:00:02 localhost.localdomain nm-openvpn[7114]: VERIFY ERROR: depth=0, error=certificate signature failure: C=XYZ, ST=XYZ, L=XXX, O=XXX XXX, CN=se
rver, emailAddress=www@xxxzzzz.cz
Dec 18 11:00:02 localhost.localdomain nm-openvpn[7114]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate ver
ify failed
Dec 18 11:00:02 localhost.localdomain nm-openvpn[7114]: TLS Error: TLS object -> incoming plaintext read error
Dec 18 11:00:02 localhost.localdomain nm-openvpn[7114]: TLS Error: TLS handshake failed
Dec 18 11:00:02 localhost.localdomain nm-openvpn[7114]: SIGUSR1[soft,tls-error] received, process restarting

Here are screenshots of my OpenVPN configuration:

##############################################
# client-side OpenVPN 2.0 config file        #
# for connecting to multi-client server.     #
##############################################

client
dev tun
proto udp
remote SOME_IP
resolv-retry infinite
nobind
persist-key
persist-tun
;
ca ca.crt
cert client.crt
key client.key
;
ns-cert-type server
;remote-cert-tls server
tls-auth tls-auth.txt 1
;
route-method exe
route-delay 2
;
comp-lzo
verb 3

Any help is appreciated.

Update:

I have also tried to move the certificate files to ~/.certs but with no success.

Then I tried to add self signed certificate as trusted using

sudo cp ~/.certs/ca.crt /etc/pki/ca-trust/source/anchors/

and

sudo update-ca-trust

but with no success at all.

edit retag flag offensive close merge delete

Comments

Isn't this the same problem as in https://ask.fedoraproject.org/en/ques... ?

casep gravatar imagecasep ( 2015-12-18 06:30:34 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted
3

answered 2016-01-04 06:46:47 -0500

shimon001 gravatar image

I have found the solution on this forum. The post describes the same issue on Centos7 but it looks like it's the same issue on Fedora 23 and OpenVPN 2.3.8.

The problem is, that MD5 certificate encryption is not allowed in this version.

To allow it, edit the /usr/lib/systemd/system/NetworkManager.service add following line after [Service]

Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"

then reload:

systemctl daemon-reload

and restart NetworkManager service

systemctl restart NetworkManager.service
edit flag offensive delete link more

Comments

Saved my day

yanoo gravatar imageyanoo ( 2016-01-11 08:22:25 -0500 )edit

FYI the file /usr/lib/systemd/system/NetworkManager.service gets rewritten after update, so you may need to insert the line again

Mira gravatar imageMira ( 2016-11-08 09:27:51 -0500 )edit
0

answered 2016-03-18 08:02:29 -0500

tstate gravatar image

Thanks. Works perfectly.

But I would rather disable MD5 on the server side. In my case this is a Windows installation with openvpn 2.3.10 installed. Can anyone point me in the right direction?

So far: openssl x509 -in ca.crt -text -> Signature Algorithm: sha1WithRSAEncryption (I cannot easily change the server key)

And I changed my key from openssl x509 -in myold.crt -text -> Signature Algorithm: md5WithRSAEncryption

to openssl x509 -in mynew.crt -text -> Signature Algorithm: sha256WithRSAEncryption

But still no luck :(

edit flag offensive delete link more
0

answered 2016-09-25 01:08:21 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Tanks this solution my problem thanks i using fedora 24 and whit this solution i can't connect to my vpn thanks

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2015-12-18 04:10:56 -0500

Seen: 6,539 times

Last updated: Sep 25 '16