Good day,
I have a problem when I want to create the host certificates. The following error (message) appears "Crypto Warnings
The host certificate is not RFC3280 compliant.
Please update IPFire to the latest version and generate a new root and host certificate as soon as possible.
All OpenVPN clients must then be renewed!"
Why is the IPFIRE is the latest version 174?
Dyndns is also activated on dyndns.org I don’t need it because there is a router in front of the IPFIRE, why can’t I switch it off?
you should try to open separate threads for different problems, it increases your chances to get an answer.
In this case, if you go to /Services/Dynamic DNS in the Web User Interface, you should be able to delete the entry by clicking on the trash icon. If you cannot, please provide details to describe what happens.
I cannot understand if you are saying that you are already at the last version of IPFire or if you are asking what is the last version of IPFire. Please try to be more clear if you want to receive an useful answer and try to solve your problem with the help of the community.
I suspect that your DH problem is an incomplete certificate generation from the IPFire machine. Yes, you should generate the certificate on a more capable hardware and then upload it to IPFire.
The section you see labelled Host hinzufuegen is for Add a Host. It is where you add a Dynamic DNS service and the dynamic dns host name.
If you had any Dynamic DNS hosts set up they would be in a table labelled Current hosts. As you don’t have that table then you don’t have any Dynamic Hosts defined.
You don’t upload the command, you run the openssl commands you want to create the type of ca, certificate etc and then you upload the certificate.
Which certificate are you looking at uploading.
The x509 one for the server CA and host or the client certificate?
The CA certificate is uploaded at the bottom of the main OpenVPN page.
The client certificate is uploaded on the Add client road warrior connection page where you can choose to upload a certificate request or a certificate.
As linked by @jon , since CU172 the diffie hellman input is fixed at 4096 bits and you can not upload your own diffie hellman input. See the Blog and its RFC and IPFire Bug references for more details.
I installed a test system that seems to be the default setting.
@ Adolf Belka
The x509 certificate to use road warrior.
I suspect that the warning from the first post comes from the fact that the Diffie-Hellmann-Parameter-Length is now standard 4096 for me but the TLS authentication key 2048 bit OpenVPN static key is used.
Can something be out of date?
The TLS authentication key only has the one size of 2048 bit. You can’t choose any other size for it.
From which Core Update have you been seeing this message.
This message originally started back in Core Update 123. The fix was that people needed to recreate the server x509 certificate, which then requires re-creating all client connections. The time this warning would have given a hard problem was when OpenVPN reached version 2.5 which was in Dec 2020 in Core Update 153. https://community.ipfire.org/t/cryptographic-warning-still-reappears/5275
Have you tried to delete and recreate the server certificate authorities and keys.
Yes, I deleted all the keys and then go to “Delete x509 data” IPFIRE does that too, then I let you recreate it, it’s very quick.
But I always get this error message with the "Cryptography warnings
The host certificate is not RFC3280 compliant. "
What can be the reason, can I also delete the x509 data via the console? Or how to uninstall OPEVPN?
I don’t want to generate any keys for “road warrior” until I have it clean.
Searching through the forum for the message you found it seems that the usual cause has ended up being a file that didn’t get properly updated during a core update somewhere. This is not a problem that everyone is having but some people have experienced it.
You need to make the backup after removing the x509 certificate otherwise if you restore from any earlier backup you will again get that previous x509 certificate set.
As a quick check what date do you have on your system for the /var/ipfire/ovpn/openssl/ovpn.cnf file.
Mine shows the following:-
ls -hal /var/ipfire/ovpn/openssl/
total 12K
drwxr-xr-x 2 nobody nobody 4.0K Jan 17 2018 .
drwxr-xr-x 9 nobody nobody 4.0K Apr 8 21:12 …
-rw-r–r-- 1 nobody nobody 2.6K Dec 27 15:18 ovpn.cnf
You have the ovpn.cnf version is from 2016 and that does not have the x509 extensions that were added in back in Core Update 123 in Sept 2018.
In one of the threads I linked to it mentions that for CU123 the update process worked for the majority of people but for some unknown reason for some people it did not update the ovpn.cnf file.
The simplest thing then for you to try is to replace the ovpn.cnf file in your IPFire system with the latest version.
Right click on the ‘raw’ link and select save link as. Then copy that file into your IPFire machine in the correct directory. Make sure that it has the ownership nobody:nobody and the permissions 644
EDIT:-
After you have made that change and recreated the certificate and key it should then work. If it does then make a backup after doing that and remove all the earlier backup files. If you restore from any of them you will put back the certificate and key without the x509 extensions.
Also note that if you have any backups from sept 2018 or earlier then those will also restore the ovpn.cnf file. That file was removed from the backup list at that time.
