search

idlab-discover / easy-openvpn-server

Plug-and-play OpenVPN server which generates server and client config files for you
https://snapcraft.io/easy-openvpn-server
GNU Affero General Public License v3.0
70 stars 9 forks source link

VERIFY ERROR: depth=0, error=CRL is not yet valid #14

Open rustamabdullaev-maandag opened 2 years ago

rustamabdullaev-maandag commented 2 years ago

Server: Debian 11 amd64

su
snap install easy-openvpn-server
easy-openvpn-server setup
snap set easy-openvpn-server tcp-server.port=8200
snap restart easy-openvpn-server
easy-openvpn-server show-client default > default.ovpn

Client: Windows 10

Install OpenVPN x64, add default.ovpn (comment out UDP connection), click "Connect"

Client logs:

WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
Windows version 10.0 (Windows 10 or greater) 64bit
library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'echo all on'
MANAGEMENT: CMD 'bytecount 5'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]<redacted>:8200
Socket Buffers: R=[65536->65536] S=[65536->65536]
Attempting to establish TCP connection with [AF_INET]<redacted>:8200 [nonblock]
MANAGEMENT: >STATE:1646412932,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET]<redacted>:8200
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]<redacted>:8200
MANAGEMENT: >STATE:1646412932,WAIT,,,,,,
MANAGEMENT: >STATE:1646412932,AUTH,,,,,,
TLS: Initial packet from [AF_INET]<redacted>:8200, sid=36e253c5 9a299d19
VERIFY OK: depth=1, C=BE, ST=East Flanders, L=Ghent, O=Easy OpenVPN Server, CN=easy-openvpn-server CA
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, C=BE, ST=East Flanders, L=Ghent, O=Easy OpenVPN Server, CN=easy-openvpn-server Server
Connection reset, restarting [-1]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1646412932,RECONNECTING,connection-reset,,,,,
Restart pause, 5 second(s)

Server logs:

OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
TUN/TAP device tun1 opened
do_ifconfig, tt->did_ifconfig_ipv6_setup=1
/sbin/ip link set dev tun1 up mtu 1500
/sbin/ip addr add dev tun1 local 10.120.113.1 peer 10.120.113.2
/sbin/ip -6 addr add fd51:32ce:981e:bfa5::1/64 dev tun1
setsockopt(IPV6_V6ONLY=0)
UDPv6 link local (bound): [AF_INET6][undef]:8200
UDPv6 link remote: [AF_UNSPEC]
GID set to snap_daemon
UID set to snap_daemon
Initialization Sequence Completed
TCP connection established with [AF_INET6]::ffff:<redacted>:53330
<redacted> WARNING: Failed to stat CRL file, not (re)loading CRL.
<redacted> VERIFY ERROR: depth=0, error=CRL is not yet valid: C=BE, ST=East Flanders, L=Ghent, O=Easy OpenVPN Server, CN=default
<redacted> OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
<redacted> TLS_ERROR: BIO read tls_read_plaintext error
<redacted> TLS Error: TLS object -> incoming plaintext read error
<redacted> TLS Error: TLS handshake failed
<redacted> Fatal TLS error (check_tls_errors_co), restarting

What am I doing wrong?

viktorprogger commented 2 years ago

The same issue. I've googled everything, but didn't even find the path to the CRL file.

viktorprogger commented 2 years ago

This one is fixed. The problem is config directory is placed under /root/snap/easy-openvpn-server which is not readable for the daemon. One of the solutions (not the best) is to set 755 permission to all directories in the path to the crl.pem.

markmb88 commented 2 years ago

This one is fixed. The problem is config directory is placed under /root/snap/easy-openvpn-server which is not readable for the daemon. One of the solutions (not the best) is to set 755 permission to all directories in the path to the crl.pem.

Thank you, but it did not solve the issue for me

rustyx commented 11 months ago

Still an issue in Debian 12, easy-openvpn-server v.0.2 rev. 121 and indeed it's NOT a permission issue.

The error is actually correct, the CRL is not yet valid.

It is currently:

$ date
Mon 20 Nov 21:29:55 UTC 2023

While the CRL contains:

# openssl crl -noout -text -in /root/snap/easy-openvpn-server/121/crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, ST = East Flanders, L = Ghent, O = Easy OpenVPN Server, CN = easy-openvpn-server CA
        Last Update: Nov 20 23:59:53 2023 GMT
        Next Update: Oct 27 23:59:53 2123 GMT
merlijn-sebrechts commented 11 months ago

Thank you, it seems there is an issue when your server is not using UTC. Let me look at how to fix it.