dperson / openvpn-client

GNU Affero General Public License v3.0
1.06k stars 587 forks source link

Format error in certificate's notBefore field #364

Open fmoledina opened 3 years ago

fmoledina commented 3 years ago

I've been using this Docker image with AirVPN for the past year without any issues using the generated .ovpn files from their site. With the latest images published yesterday, I now get the following errors when trying to start the container:

docker-compose logs -t --tail 50 ovpn:

ovpn             | 2021-01-15T15:40:30.174556483Z Setup forwarded port: 15000 tcp
ovpn             | 2021-01-15T15:40:30.259004324Z Dump terminated
ovpn             | 2021-01-15T15:40:30.277144094Z + exec sg vpn -c 'openvpn --cd /vpn --config /vpn/vpn.conf --script-security 2 --redirect-gateway def1 --route-up '\''/bin/sh -c " iptables -A OUTPUT -d 127.0.0.11 -j ACCEPT"'\'' --route-pre-down '\''/bin/sh -c " iptables -D OUTPUT -d 127.0.0.11 -j ACCEPT"'\''                 '
ovpn             | 2021-01-15T15:40:30.325482687Z 2071-04-24 20:26:40 OpenVPN 2.5.0 armv6-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 26 2020
ovpn             | 2021-01-15T15:40:30.325587770Z 2071-04-24 20:26:16 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
ovpn             | 2021-01-15T15:40:30.325718811Z 2071-04-24 20:23:36 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
ovpn             | 2021-01-15T15:40:30.333609223Z 2071-04-24 20:01:44 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
ovpn             | 2021-01-15T15:40:30.333772347Z 2071-04-24 20:01:44 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
ovpn             | 2021-01-15T15:40:30.333831139Z 2071-04-24 20:01:44 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
ovpn             | 2021-01-15T15:40:30.333877722Z 2071-04-24 20:01:44 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
ovpn             | 2021-01-15T15:40:30.333932346Z 2071-04-24 20:20:08 TCP/UDP: Preserving recently used remote address: [AF_INET]37.120.132.93:443
ovpn             | 2021-01-15T15:40:30.333983138Z 2071-04-24 20:19:20 Socket Buffers: R=[180224->360448] S=[180224->360448]
ovpn             | 2021-01-15T15:40:30.334031471Z 2071-04-24 20:21:28 UDP link local: (not bound)
ovpn             | 2021-01-15T15:40:30.334076762Z 2071-04-24 20:21:28 UDP link remote: [AF_INET]37.120.132.93:443
ovpn             | 2021-01-15T15:40:30.411898309Z 2071-04-24 20:21:44 TLS: Initial packet from [AF_INET]37.120.132.93:443, sid=5d52b4f0 d8e44911
ovpn             | 2021-01-15T15:40:30.503774274Z 2071-04-24 20:06:16 VERIFY ERROR: depth=1, error=format error in certificate's notBefore field: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org, serial=10148936457887096835
ovpn             | 2021-01-15T15:40:30.503925940Z 2071-04-24 20:19:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ovpn             | 2021-01-15T15:40:30.503982565Z 2071-04-24 20:19:28 TLS_ERROR: BIO read tls_read_plaintext error
ovpn             | 2021-01-15T15:40:30.504058773Z 2071-04-24 20:20:00 TLS Error: TLS object -> incoming plaintext read error
ovpn             | 2021-01-15T15:40:30.504103564Z 2071-04-24 20:20:00 TLS Error: TLS handshake failed
ovpn             | 2021-01-15T15:40:30.504950226Z 2071-04-24 20:26:08 SIGUSR1[soft,tls-error] received, process restarting
ovpn             | 2021-01-15T15:40:30.505030809Z 2071-04-24 20:23:36 Restart pause, 5 second(s)

Not sure why the timestamps are in the year 2071.

docker-compose.yml snippet:

version: '3.7'
services:
  ovpn:
    image: dperson/openvpn-client
    restart: unless-stopped
    ports:
      - 8000:8000
    dns:
      - 1.1.1.2
      - 1.0.0.2
    cap_add:
      - NET_ADMIN
    devices:
      - '/dev/net/tun:/dev/net/tun:rwm'
    environment:
      FIREWALL: ''
      PUID: 1000
      PGID: 1000
      ROUTE: '192.168.0.0/16'
      VPNPORT: 15000
    networks:
      - prodnet
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    read_only: true
    tmpfs:
      - /run
      - /tmp
    security_opt:
      - label:disable
    stdin_open: true
    tty: true
    volumes:
      - type: bind
        source: ./AirVPN_US-LosAngeles_Teegarden_UDP-443-Entry3.ovpn
        target: /vpn/vpn.conf

I've tried creating a new config at AirVPN specifying OpenVPN >= 2.5 but I get the same error. A snippet of this new config is below:

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday 15th of January 2021 03:27:44 PM
# OpenVPN Client Configuration
# AirVPN_US-LosAngeles_Teegarden_UDP-443-Entry3
# --------------------------------------------------------

client
dev tun
remote 37.120.132.93 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512

Let me know what other information I can provide. Thanks!

bradmurray commented 3 years ago

I am seeing this same problem on one of my containers. Checking the date on the container gives me

Sun Jan  0 00:100:4174038  1900

and the logs are showing the date as 2071 so with the clock very wrong it is reporting all certs as being either too early or expired.

rackey12 commented 3 years ago

I am seeing the same issue I was thinking that it is also to do with the date being so far out. I have only started trying to setup the container and not been able to run it properly yet. So looking to try and get some help. And I think the first issue to resolve is this time issue

2071-06-05 17:02:40 TLS_ERROR: BIO read tls_read_plaintext error, 2071-06-05 17:03:12 TLS Error: TLS handshake failed, 2071-06-05 17:03:12 TLS Error: TLS object -> incoming plaintext read error, 2071-06-05 17:02:16 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed, 2071-06-05 17:04:40 UDP link remote: [AF_INET]217.138.195.163:1194, 2071-06-05 16:49:28 VERIFY ERROR: depth=1, error=format error in certificate's notBefore field: CN=Privado, serial=14657979451860672462, 2071-06-05 17:04:56 TLS: Initial packet from [AF_INET]217.138.195.163:1194, sid=0183460b 2f5472ec, 2071-06-05 17:04:40 UDP link local: (not bound), 2071-06-05 17:02:32 Socket Buffers: R=[180224->180224] S=[180224->180224], 2071-06-05 17:09:20 SIGUSR1[soft,tls-error] received, process restarting, 2071-06-05 17:06:48 Restart pause, 300 second(s), 2071-06-05 17:03:20 TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.195.163:1194, 2071-06-05 17:05:28 TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.195.163:1194

fmoledina commented 3 years ago

After doing some digging, this is likely related to the Alpine 3.13 release and its impact on Debian-Buster-based distros on 32-bit ARM hardware (including Ubuntu 20.04). I'm using an Odroid HC2 with Ubuntu 20.04 (i.e. armhf) and that's where this issue has surfaced for me.

See the following links:

The musl-1.2 upgrade changed the definition of time_t to 64-bits on all arches. This affects armhf, armv7 and x86. See the musl time64 release notes and the wiki for more information.

I was able to build an image based using the Dockerfile.armhf using the arm32v6/alpine:3.12.3 base image.