openvpn error "Cannot load certificate file client.crt" after upgrade to 384.10

[Mats Knuts]

Hi,

Upgraded my AC3200 to Merlin 384.10 (was on 384.9) and after that the openVPN client could not connect. The log just gave the error "Cannot load certificate file client.crt". However certificate, key and ca seems OK.

When I downgraded back to 384.9 everyting started to work again.

Any hint on where to start looking?

The client config looks like this:

# Automatically generated configuration
daemon ovpn-client2
client
dev tun12
proto udp
remote somewhere.com 4998
connect-retry-max 15
nobind
persist-key
persist-tun
comp-lzo adaptive
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-256-CBC
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
up updown.sh
down updown.sh
ca ca.crt
cert client.crt
key client.key
status-version 2
status status 5

# Custom Configuration
float
keepalive 15 60
remote-cert-tls server
resolv-retry infinite

 

[Xentrk]

Hi,

Upgraded my AC3200 to Merlin 384.10 (was on 384.9) and after that the openVPN client could not connect. The log just gave the error "Cannot load certificate file client.crt". However certificate, key and ca seems OK.

When I downgraded back to 384.9 everyting started to work again.

Any hint on where to start looking?

The client config looks like this:

# Automatically generated configuration
daemon ovpn-client2
client
dev tun12
proto udp
remote somewhere.com 4998
connect-retry-max 15
nobind
persist-key
persist-tun
comp-lzo adaptive
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-256-CBC
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
up updown.sh
down updown.sh
ca ca.crt
cert client.crt
key client.key
status-version 2
status status 5

# Custom Configuration
float
keepalive 15 60
remote-cert-tls server
resolv-retry infinite

Start with this post in the 380.10 thread. There are some other posts in the thread about cert issues with the 380.10 release and some work arounds - https://www.snbforums.com/threads/r...10-is-now-available.55742/page-21#post-477034.

If I recall I think one user ended up copying the cert to the /etc/openvpn directory an SFTP or SSH session.

 

[RMerlin]

Post your system log content, it will display the exact error. Most likely your CA uses an obsolete SHA1 signature, you need a newer version with a SHA2 signature.

 

[Mats Knuts]

This is what I found in the log

4/3/19
8:19:21.000 AM  
Apr  3 08:19:21 192.168.0.1 Apr  3 08:19:21 ovpn-client2[2840]: Exiting due to fatal error
host =    192.168.0.1 source =    udp:514 sourcetype =    syslog
4/3/19
8:19:21.000 AM  
Apr  3 08:19:21 192.168.0.1 Apr  3 08:19:21 ovpn-client2[2840]: Cannot load certificate file client.crt
host =    192.168.0.1 source =    udp:514 sourcetype =    syslog
4/3/19
8:19:21.000 AM  
Apr  3 08:19:21 192.168.0.1 Apr  3 08:19:21 ovpn-client2[2840]: OpenSSL: error:140AB18E:lib(20):func(171):reason(398)
host =    192.168.0.1 source =    udp:514 sourcetype =    syslog
4/3/19
8:19:21.000 AM  
Apr  3 08:19:21 192.168.0.1 Apr  3 08:19:21 ovpn-client2[2840]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
host =    192.168.0.1 source =    udp:514 sourcetype =    syslog
4/3/19
8:19:21.000 AM  
Apr  3 08:19:21 192.168.0.1 Apr  3 08:19:21 ovpn-client2[2819]: library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.08
host =    192.168.0.1 source =    udp:514 sourcetype =    syslog
4/3/19
8:19:21.000 AM  
Apr  3 08:19:21 192.168.0.1 Apr  3 08:19:21 ovpn-client2[2819]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 24 2019
host =    192.168.0.1 source =    udp:514 sourcetype =    syslog

 

[RMerlin]

That log is incomplete/truncated, we have no error message on the OpenSSL error line.

 

[Xentrk]

@Mats Knuts
Based on @RMerlin feedback, I recommend you go to the website of your VPN provider and download the most recent cert file before performing additional troubleshooting. Then, once you upload, test to see if the error persists. If so, post appropriate log file entries.

 

[Mats Knuts]

@Mats Knuts
Based on @RMerlin feedback, I recommend you go to the website of your VPN provider and download the most recent cert file before performing additional troubleshooting. Then, once you upload, test to see if the error persists. If so, post appropriate log file entries.

I'm my own provider, I have another Asus router in the other end of the VPN, but I will generate new certificates and keys and try and see if that helps.

 

[Mats Knuts]

That log is incomplete/truncated, we have no error message on the OpenSSL error line.

Can´t find any OpenSSL error in the log, but I will generate a new certificates and see if that helps.

 

[RMerlin]

Can´t find any OpenSSL error in the log, but I will generate a new certificates and see if that helps.

Make sure you use SHA256 signatures. SHA1 is deprecated, and no longer accepted as a signing digest for certificates with OpenSSL 1.1.

 

[Mats Knuts]

I have generated new certificates and new ca, and now everyting is working again. Thanks for your help!

 

[RMerlin]

I have generated new certificates and new ca, and now everyting is working again. Thanks for your help!

If you still have the old certificates, examine them:

openssl x509 -in file.crt -noout -text

Check the signing digest. If it said SHA1<something>, then that was the problem.

 

[Mats Knuts]

If you still have the old certificates, examine them:

openssl x509 -in file.crt -noout -text

Check the signing digest. If it said SHA1<something>, then that was the problem.

Yes I actually examined them before generating new ones, and they was using SHA1