Server cert doesn't match exported .ovpn cert

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

blitzkrieg

Occasional Visitor
Hi all,
Once in a while "Certification Authentication / Server certification / Server Key field error! Please check the Keys and Certification contents on the Advanced Settings page." comes out under VPN Server > Export config file area. Restarting VPN server clears this.

I found out the <cert>xx</cert> in the Exported .ovpn file doesn't match Server Certificate in Advanced Settings > Keys and Certificates. I tried copy/paste the server key from the exported .ovpn to the Advanced Server Certificate and vice-versa but i got some 'key doesn't match error'.

Tried:
Code:
nvram unset vpn_crt_server1_client_key

nvram unset vpn_crt_server1_ca_key
nvram unset vpn_crt_server1_key
nvram unset vpn_crt_server1_dh
nvram unset vpn_crt_server1_static
nvram unset vpn_crt_server1_ca
nvram commit
reboot
Also tried defaulting the VPN server to no avail.

I'm on AC86U 384.15
What am I doing wrong?
 

martinr

Part of the Furniture
I have seen that, to, on my RT-AC68U running 384.15. And, both OpenVPN servers are showing that message now. I didn’t investigate like you have because I have no problems connecting, which surprised me. And then I’d check later and find the message gone and the Export button displayed again.

When you tried your copy/pate experiment did you use Notepad++ set to Unix formatting (assuming you did it on a Windows PC)?

I am using PKI (together with username/password authentication). So I’m more intrigued by why I can connect despite the message, which you have shown to be genuine.

(I’ve only noticed this since updating to 384.15.)
 
Last edited:

martinr

Part of the Furniture
So to clarify: if you Export a fresh .ovpn config file now, would the certificates still be mismatched? Or is it just the relevant certificate currently in the config file on a client device?

Any idea why we can still connect despite this PKI error?
 

blitzkrieg

Occasional Visitor
I have seen that, to, on my RT-AC68U running 384.15. And, both OpenVPN servers are showing that message now. I didn’t investigate like you have because I have no problems connecting, which surprised me. And then I’d check later and find the message gone and the Export button displayed again.

When you tried your copy/pate experiment did you use Notepad++ set to Unix formatting (assuming you did it on a Windows PC)?

I am using PKI (together with username/password authentication). So I’m more intrigued by why I can connect despite the message, which you have shown to be genuine.

(I’ve only noticed this since updating to 384.15.)
Yea no problems connecting actually. The message will be gone upon reboot or restarting of VPN server.
I didn't try notepad++ thou, just the windows notepad and ctrl+shift+v just to be sure no formatting is pasted.
Yea noticed this on 384.15.

So to clarify: if you Export a fresh .ovpn config file now, would the certificates still be mismatched? Or is it just the relevant certificate currently in the config file on a client device?

Any idea why we can still connect despite this PKI error?
Yup if reboot and export a fresh .ovpn only the Server Certificate is mismatched.
Beats me on why I can still connect no problem thou.
 

martinr

Part of the Furniture
Yea no problems connecting actually. The message will be gone upon reboot or restarting of VPN server.
I didn't try notepad++ thou, just the windows notepad and ctrl+shift+v just to be sure no formatting is pasted.
Yea noticed this on 384.15.


Yup if reboot and export a fresh .ovpn only the Server Certificate is mismatched.
Beats me on why I can still connect no problem thou.
I’ll try to repeat the troubleshooting you’ve done tonight to see if it makes any more sense.

It makes me believe this certificate mismatch has been there for a while but it’s only on 384.15 that it’s now being reported. I can’t see that the firmware upgrade caused some kind of mutation into, of all things, the server certificate. That would be credible if OpenVPN suddenly had stopped working after the upgrade. But, because OpenVPN still works perfectly, I believe the 384.15 upgrade has not caused the problem; it’s just now bringing it to light.

But it makes me wonder: if OpenVPN still works with a faulty server certificate what else might be flawed? I am tempted to insert an extra character into other certificates and keys to be satisfied that causes a failure to connect.

My meagre understanding of PKI is not deep enough to know at what stage the server certificate comes into play except that at some stage communication between the client and the server should grind to a halt because it appears the client is connecting to a different server than the one it had intended.
 

martinr

Part of the Furniture
Hi all,
Once in a while "Certification Authentication / Server certification / Server Key field error! Please check the Keys and Certification contents on the Advanced Settings page." comes out under VPN Server > Export config file area. Restarting VPN server clears this.

I found out the <cert>xx</cert> in the Exported .ovpn file doesn't match Server Certificate in Advanced Settings > Keys and Certificates. I tried copy/paste the server key from the exported .ovpn to the Advanced Server Certificate and vice-versa but i got some 'key doesn't match error'.

Tried:
Code:
nvram unset vpn_crt_server1_client_key

nvram unset vpn_crt_server1_ca_key
nvram unset vpn_crt_server1_key
nvram unset vpn_crt_server1_dh
nvram unset vpn_crt_server1_static
nvram unset vpn_crt_server1_ca
nvram commit
reboot
Also tried defaulting the VPN server to no avail.

I'm on AC86U 384.15
What am I doing wrong?
I've had a look at the the .ovpn file as well as the Server Certificate in the Advanced Settings; however, my PKI knowledge is just not good enough to know whether it's right or wrong. But this is very reminiscent of the "error" message some of us saw in the previous firmware: we got a swirling circle and the message about initialising the settings of OpenVPN Server... Everything worked perfectly though.

https://www.snbforums.com/threads/stuck-on-export-openvpn-configuration-file.29103/#post-543227

So in every respect, other than the wording of the message, this glitch is identical to the previous, spurious one.

So my guess is that nothing at all is wrong; that those certificates aren't the same (ie not supposed to be the same) and that we again have a spurious error message that goes away when the server is stopped and restarted (only to return later) and can, and should, be ignored.

I wonder if @elorimer and @CaptainSTX , who similarly had the erstwhile spinning circle, are now seeing this new message in place of the old one:
"Certification Authentication / Server certification / Server Key field error! Please check the Keys and Certification contents on the Advanced Settings page."

So, because OpenVPN Server is working perfectly in every other respect, I believe this message is just as spurious as the previous one was and should be ignored. Sometimes it pays not to poke around in the webui, I guess.
 

CaptainSTX

Part of the Furniture
I wonder if @elorimer and @CaptainSTX , who similarly had the erstwhile spinning circle, are now seeing this new message in place of the old one:
"Certification Authentication / Server certification / Server Key field error! Please check the Keys and Certification contents on the Advanced Settings page."

So, because OpenVPN Server is working perfectly in every other respect, I believe this message is just as spurious as the previous one was and should be ignored. Sometimes it pays not to poke around in the webui, I guess.
I see exactly the same message. The spinning wheel is gone and and there are still some entries in the log pertaining to the open VPN server but maybe not as many as before. I connect to my open VPN server most every day when I'm out of the house and it works fine.

I have considered removing the reinstalling the server but that would mean importing the new certificate for five devices and since it work fine I choose to just ignore the message.
 

FLA_NL

Regular Contributor
Has anyone find out how to prevent this or are you guys just ignoring the message 'Certification Authentication / Server certification / Server Key field error!' ? I've the same issue, and with restarting the openvpn server it is gone. Also clients still can connect when it occurs.
 

blitzkrieg

Occasional Visitor
Has anyone find out how to prevent this or are you guys just ignoring the message 'Certification Authentication / Server certification / Server Key field error!' ? I've the same issue, and with restarting the openvpn server it is gone. Also clients still can connect when it occurs.
Apparently it is still happening, but i'm ignoring it as clients can still connect. Not sure if it is the OpenVPN implmentation or router's firmware :/
I'm still on 384.16 though, have not update to 384.17.
 

elorimer

Very Senior Member
Huh. I have this message too but everything is fine. Only on Server1, not Server2. My certs are the same for both.

86U, .17. I wouldn't have thought to look.
 

CamCam

New Around Here
I'm also getting
Code:
"Certification Authentication / Server certification / Server Key field error!"
on Asuswrt-Merlin 384.17, RT-AC86u.

I have no problem connecting using the Windows OpenVPN client. But when trying to connect with the Android OpenVPN client, TLS handshake fails (with both using the same configuration file exported from the router).

I realize that sounds like a problem with the Android client - but I wasn't having any problems connecting until I recently changed the server configuration and exported a fresh config. And the Android client still connects to an older OpenVPN server on a different Asus router just fine.

Reverting all the config to the known working settings doesn't help. (At least, I'm pretty sure they're all back as they were...)

I don't know if the router is holding on to the previous certs somehow?

If I SSH into the router and read the client cert and key with nano, they match the exported client config file.

I've tried 'Default'-ing the server settings.
I've also deleted /jffs/openvpn as I saw suggested by RMerlin on another thread, and it didn't help ...though I didn't restart the router after doing so, so I should give that a try.
 

FLA_NL

Regular Contributor
384.18_beta1, same experience, different message:
Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection.


With changing nothing and hitting the apply button of the openvpn server, the Export button for the configuration file comes available again.
 
Last edited:

prosperot

Occasional Visitor
I am experiencing the same problems on my 86U on the .18 version of Merlin. Coming from Asus stock, where I did not have this issue, I guess it is related to the Merlin implementation of openVPN ?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top