Crypto Warnings

Good day,
I have a problem when I want to create the host certificates. The following error (message) appears "Crypto Warnings
The host certificate is not RFC3280 compliant.
Please update IPFire to the latest version and generate a new root and host certificate as soon as possible.

All OpenVPN clients must then be renewed!"

Why is the IPFIRE is the latest version 174?
Dyndns is also activated on I don’t need it because there is a router in front of the IPFIRE, why can’t I switch it off?

Thanks in advance.

Is it possible to create the root/host certificate externally?
The “Diffie-Hellmann-Parameter-Length” item is not displayed in IPFIRE.

I haven’t used OpenVPN for a long time - but I believe the length is set to 4,096.

This might help for the parameter length:

Yes. And this might help:

FYI - the Wiki needs to be updated!


you should try to open separate threads for different problems, it increases your chances to get an answer.

In this case, if you go to /Services/Dynamic DNS in the Web User Interface, you should be able to delete the entry by clicking on the trash icon. If you cannot, please provide details to describe what happens.

1 Like

I cannot understand if you are saying that you are already at the last version of IPFire or if you are asking what is the last version of IPFire. Please try to be more clear if you want to receive an useful answer and try to solve your problem with the help of the community.

I suspect that your DH problem is an incomplete certificate generation from the IPFire machine. Yes, you should generate the certificate on a more capable hardware and then upload it to IPFire.

With Dyndns I mean the blue hook as shown in the picture. I can’t change it, it’s always the same. I don’t need it either, so I wanted to disable it.

Thank you for your answers!

What does the command for generating the certificate in the console have to look like (syntax) so that I can then upload it to the IPFIRE?

The section you see labelled Host hinzufuegen is for Add a Host. It is where you add a Dynamic DNS service and the dynamic dns host name.

If you had any Dynamic DNS hosts set up they would be in a table labelled Current hosts. As you don’t have that table then you don’t have any Dynamic Hosts defined.

See the wiki page for details.

The blue checkmark is selected by default but only causes a difference if you enter all the details for a specific dynamic dns service.

You don’t upload the command, you run the openssl commands you want to create the type of ca, certificate etc and then you upload the certificate.

Which certificate are you looking at uploading.

The x509 one for the server CA and host or the client certificate?

The CA certificate is uploaded at the bottom of the main OpenVPN page.

The client certificate is uploaded on the Add client road warrior connection page where you can choose to upload a certificate request or a certificate.

As linked by @jon , since CU172 the diffie hellman input is fixed at 4096 bits and you can not upload your own diffie hellman input. See the Blog and its RFC and IPFire Bug references for more details.

I installed a test system that seems to be the default setting.

@ Adolf Belka
The x509 certificate to use road warrior.

I suspect that the warning from the first post comes from the fact that the Diffie-Hellmann-Parameter-Length is now standard 4096 for me but the TLS authentication key 2048 bit OpenVPN static key is used.
Can something be out of date?

The TLS authentication key only has the one size of 2048 bit. You can’t choose any other size for it.

From which Core Update have you been seeing this message.

This message originally started back in Core Update 123. The fix was that people needed to recreate the server x509 certificate, which then requires re-creating all client connections. The time this warning would have given a hard problem was when OpenVPN reached version 2.5 which was in Dec 2020 in Core Update 153.

Have you tried to delete and recreate the server certificate authorities and keys.

Yes, I deleted all the keys and then go to “Delete x509 data” IPFIRE does that too, then I let you recreate it, it’s very quick.
But I always get this error message with the "Cryptography warnings
The host certificate is not RFC3280 compliant. "
What can be the reason, can I also delete the x509 data via the console? Or how to uninstall OPEVPN?

I don’t want to generate any keys for “road warrior” until I have it clean.

Thanks a lot for your help.

Searching through the forum for the message you found it seems that the usual cause has ended up being a file that didn’t get properly updated during a core update somewhere. This is not a problem that everyone is having but some people have experienced it.

As an example see

My own suggestion would be my post in that thread.

You need to make the backup after removing the x509 certificate otherwise if you restore from any earlier backup you will again get that previous x509 certificate set.

As a quick check what date do you have on your system for the /var/ipfire/ovpn/openssl/ovpn.cnf file.
Mine shows the following:-

ls -hal /var/ipfire/ovpn/openssl/
total 12K
drwxr-xr-x 2 nobody nobody 4.0K Jan 17 2018 .
drwxr-xr-x 9 nobody nobody 4.0K Apr 8 21:12 …
-rw-r–r-- 1 nobody nobody 2.6K Dec 27 15:18 ovpn.cnf

1 Like

It looks like this to me.
What exactly should I do now to delete the “ovpn.cnf” manually?

ls -hal /var/ipfire/ovpn/openssl/
total 12K
drwxr-xr-x 2 nobody nobody 4.0K May 20 20:37 .
drwxr-xr-x 9 nobody nobody 4.0K May 20 22:08 ..
-rw-r--r-- 1 nobody nobody 2.5K Dec 14  2016 ovpn.cnf

Unfortunately, it is not possible to reinstall on the system.
Is there another way?

You have the ovpn.cnf version is from 2016 and that does not have the x509 extensions that were added in back in Core Update 123 in Sept 2018.

In one of the threads I linked to it mentions that for CU123 the update process worked for the majority of people but for some unknown reason for some people it did not update the ovpn.cnf file.

The simplest thing then for you to try is to replace the ovpn.cnf file in your IPFire system with the latest version.

This can be obtained from:-;a=tree;f=config/ovpn/openssl;h=97012a034eb89a04b40738fb6d9b1bf532a69326;hb=refs/heads/next

Right click on the ‘raw’ link and select save link as. Then copy that file into your IPFire machine in the correct directory. Make sure that it has the ownership nobody:nobody and the permissions 644

After you have made that change and recreated the certificate and key it should then work. If it does then make a backup after doing that and remove all the earlier backup files. If you restore from any of them you will put back the certificate and key without the x509 extensions.

Also note that if you have any backups from sept 2018 or earlier then those will also restore the ovpn.cnf file. That file was removed from the backup list at that time.

1 Like

All right, I’ll do it. Thanks for your help!

The error message is gone, unfortunately no connection is established.
I’ve tried Linux and Windows. Sign me up in another area.