I have a problem when I want to create the host certificates. The following error (message) appears "Crypto Warnings
The host certificate is not RFC3280 compliant.
Please update IPFire to the latest version and generate a new root and host certificate as soon as possible.
All OpenVPN clients must then be renewed!"
Why is the IPFIRE is the latest version 174?
Dyndns is also activated on dyndns.org I don’t need it because there is a router in front of the IPFIRE, why can’t I switch it off?
you should try to open separate threads for different problems, it increases your chances to get an answer.
In this case, if you go to /Services/Dynamic DNS in the Web User Interface, you should be able to delete the entry by clicking on the trash icon. If you cannot, please provide details to describe what happens.
I cannot understand if you are saying that you are already at the last version of IPFire or if you are asking what is the last version of IPFire. Please try to be more clear if you want to receive an useful answer and try to solve your problem with the help of the community.
I suspect that your DH problem is an incomplete certificate generation from the IPFire machine. Yes, you should generate the certificate on a more capable hardware and then upload it to IPFire.
You don’t upload the command, you run the openssl commands you want to create the type of ca, certificate etc and then you upload the certificate.
Which certificate are you looking at uploading.
The x509 one for the server CA and host or the client certificate?
The CA certificate is uploaded at the bottom of the main OpenVPN page.
The client certificate is uploaded on the Add client road warrior connection page where you can choose to upload a certificate request or a certificate.
As linked by @jon , since CU172 the diffie hellman input is fixed at 4096 bits and you can not upload your own diffie hellman input. See the Blog and its RFC and IPFire Bug references for more details.
I installed a test system that seems to be the default setting.
@ Adolf Belka
The x509 certificate to use road warrior.
I suspect that the warning from the first post comes from the fact that the Diffie-Hellmann-Parameter-Length is now standard 4096 for me but the TLS authentication key 2048 bit OpenVPN static key is used.
Can something be out of date?
The TLS authentication key only has the one size of 2048 bit. You can’t choose any other size for it.
From which Core Update have you been seeing this message.
This message originally started back in Core Update 123. The fix was that people needed to recreate the server x509 certificate, which then requires re-creating all client connections. The time this warning would have given a hard problem was when OpenVPN reached version 2.5 which was in Dec 2020 in Core Update 153. https://community.ipfire.org/t/cryptographic-warning-still-reappears/5275
Have you tried to delete and recreate the server certificate authorities and keys.
Yes, I deleted all the keys and then go to “Delete x509 data” IPFIRE does that too, then I let you recreate it, it’s very quick.
But I always get this error message with the "Cryptography warnings
The host certificate is not RFC3280 compliant. "
What can be the reason, can I also delete the x509 data via the console? Or how to uninstall OPEVPN?
I don’t want to generate any keys for “road warrior” until I have it clean.
Searching through the forum for the message you found it seems that the usual cause has ended up being a file that didn’t get properly updated during a core update somewhere. This is not a problem that everyone is having but some people have experienced it.
Right click on the ‘raw’ link and select save link as. Then copy that file into your IPFire machine in the correct directory. Make sure that it has the ownership nobody:nobody and the permissions 644
After you have made that change and recreated the certificate and key it should then work. If it does then make a backup after doing that and remove all the earlier backup files. If you restore from any of them you will put back the certificate and key without the x509 extensions.
Also note that if you have any backups from sept 2018 or earlier then those will also restore the ovpn.cnf file. That file was removed from the backup list at that time.