OpenVPN error 256 new install

Security
1

This is a new install of 183.
In trying to generate root/host certificates it returns error 256.
The Hash is SHA512 and Encryption is AES-GCM 512

I am using names with no spaces.
I can’t start OpenVPN Server until this works.
What to do?
Thanks

2

See post

https://community.ipfire.org/t/openvpn-fails-to-generate-server-certificate/11128

and bug report

https://bugzilla.ipfire.org/show_bug.cgi?id=13595

3

Where is ovpnmain.cgi?

4

In /srv/web/ipfire/cgi-bin/

However I would recommend making the changes in
/var/ipfire/ovpn/openssl/ovpn.cnf
as defined in the patch submission in the bug report.

This will be the change that will be implemented into the next Core Update.

5

Commenting out those 2 lines mentioned in the bug report get it working.
Thanks

1 Like
6

I guess I spoke too soon. The Certificate Authorities and Key were generated without error. I created a RW and n2n each without error.
When I tried to implement the RW it failed with Activation of network connection failed on my Linux box.
In Windows it looks like it doesn’t accept the password.
The n2n looked like it worked but would not route traffic.
The home and OpenVPN screens on the server says n2n is connected. The remote system (mine), the Home screen says connected. The OpenVPN screen does not show a status.
I rebuilt the config files a few times in case of typos.
Thanks

7

A little more information:
The Windows log file says:
OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-02-19 14:46:10 TLS_ERROR: BIO read tls_read_plaintext error
2024-02-19 14:46:10 TLS Error: TLS object → incoming plaintext read error
2024-02-19 14:46:10 TLS Error: TLS handshake failed
2024-02-19 14:46:10 Closing DCO interface

8

One more piece of info.
I removed the comment from line 1887 and now the login works.
I will stop being annoying now.
Thanks

9

I am presuming that line 1887 is related to ovpnmain.cgi

Line 1887 should never be commented out in that code.

I want to be sure that my patch is properly working before it gets merged.

I don’t have any windows systems at all so the only check I was able to do was with a linux laptop.

Can you confirm that with a default ovpnmain.cgi code and the removal of the two lines from ovpn.cnf that your windows client works correctly.

I am going to also do a check with my android phone as a client just to be super sure.

10

I have reconfirmed with a new vm clone that removing those two lines from the ovpn.cnf file allows my RW connections to a Linux Laptop and to an Android phone both work without problems.

Also created a new N2N connection from a system with the new root/host certificate connecting to an existing system that was created with the old system prior to OpenSSL-3.2

The N2N connection worked without problems.

Then created a new N2N client end where I created a new root/host certificate set with OpenSSL-3.2.1 and that N2N connection also worked without any problems.

I am feeling confident now that for Linux and Android the fix is fine.

If you can confirm that is also the case for your windows client that would be good.

11

In
https://bugzilla.ipfire.org/show_bug.cgi?id=13595
He was talking about commenting lines 1870 and 1887 of ovpnmain.cgi or so I thought.
When I commented those 2 lines I could create the certificates but I couldn’t log in. When I remove the comment from line 1887 I could still create the certificates and I could log in. This worked in Linux and Windows. It also worked with n2n.

I couldn’t figure out what to change in
'/var/ipfire/ovpn/openssl/ovpn.cnf`
Thanks for your help

12

I installed a fresh installation of IPFire CU 184 on a virtual machine.
I commented out two lines in the /var/ipfire/ovpn/openssl/ovpn.cnf file

edit:
in the [ server ] section.

# subjectKeyIdentifier = hash
# authorityKeyIdentifier = keyid,issuer:always

Effect:

I was able to generate OpenVPN root/host certificates.
I was able to create a RW connection.
The OpenVPN Community 2.6.9 client on Widows 10 Pro 22H2 connected without issue.

Best Regards.

3 Likes
13

This two lines is under [ usr_cert ] and [ server ]. Which of thes did you comment out? Or did you both?

14

Only remove those two lines in the server section.

In the bug report patch it shows only the lines in the server section being removed.
https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=config/ovpn/openssl/ovpn.cnf;h=bfa7ad744c086aa54d83240c1b8fd23f3945f985;hp=96c3dcb09dbbe99354ee24370c9844f4570bd72a;hb=16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3;hpb=0c051ce27903e9d18c8ee247d92535c633ef93a2

2 Likes
15

Thank you Adolf Belka for the fast answer and help. It Works.
And thanks to @tphz !

Best regards

Sergio

16

What two lines in /var/ipfire/ovpn/openssl/ovpn.cnf ? There are only about 100 lines in that file (no where near 1807 or 1877) and nothing under the [server] section matches with anything people here have talked about ??? I am soooo confused :frowning:

17

Hi.

This:

imagen
imagen727×713 32.4 KB

In line 87 and 88 in “[ server ]” section.

Bye.

2 Likes
18

Lines 1807 and 1877 that were mentioned by other people relate to a different file. Leave that file alone.

If you are unfamiliar or uncomfortable with editing files based on the output from a patch listing then the simplest and safest approach is:-

  • wait for Core Update 185 to be released as it has the fix built in and then install OpenVPN.
  • if you have to install OpenVPN now then re-install Core Update 182, restore from your backup and then install OpenVPN.
19

Or copy file from other IPFire.

BR.

20

That won’t work as then the two lines will still be in the file.

The bug is that those two lines should never have been in the server section but in the past openssl just ignored the lines being there. A recent update of openssl had a bug fix which now will give an error if those lines are used for the CSR of the host certificate.

2 Likes