1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Server cert doesn't match exported .ovpn cert

Discussion in 'Asuswrt-Merlin' started by blitzkrieg, Feb 22, 2020.

  1. blitzkrieg

    blitzkrieg Occasional Visitor

    Joined:
    Jul 27, 2017
    Messages:
    18
    Hi all,
    Once in a while "Certification Authentication / Server certification / Server Key field error! Please check the Keys and Certification contents on the Advanced Settings page." comes out under VPN Server > Export config file area. Restarting VPN server clears this.

    I found out the <cert>xx</cert> in the Exported .ovpn file doesn't match Server Certificate in Advanced Settings > Keys and Certificates. I tried copy/paste the server key from the exported .ovpn to the Advanced Server Certificate and vice-versa but i got some 'key doesn't match error'.

    Tried:
    Code:
    nvram unset vpn_crt_server1_client_key
    
    nvram unset vpn_crt_server1_ca_key
    nvram unset vpn_crt_server1_key
    nvram unset vpn_crt_server1_dh
    nvram unset vpn_crt_server1_static
    nvram unset vpn_crt_server1_ca
    nvram commit
    reboot
    Also tried defaulting the VPN server to no avail.

    I'm on AC86U 384.15
    What am I doing wrong?
     
  2. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,474
    Location:
    Manchester, United Kingdom
    I have seen that, to, on my RT-AC68U running 384.15. And, both OpenVPN servers are showing that message now. I didn’t investigate like you have because I have no problems connecting, which surprised me. And then I’d check later and find the message gone and the Export button displayed again.

    When you tried your copy/pate experiment did you use Notepad++ set to Unix formatting (assuming you did it on a Windows PC)?

    I am using PKI (together with username/password authentication). So I’m more intrigued by why I can connect despite the message, which you have shown to be genuine.

    (I’ve only noticed this since updating to 384.15.)
     
    Last edited: Feb 22, 2020
  3. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,474
    Location:
    Manchester, United Kingdom
    So to clarify: if you Export a fresh .ovpn config file now, would the certificates still be mismatched? Or is it just the relevant certificate currently in the config file on a client device?

    Any idea why we can still connect despite this PKI error?
     
  4. blitzkrieg

    blitzkrieg Occasional Visitor

    Joined:
    Jul 27, 2017
    Messages:
    18
    Yea no problems connecting actually. The message will be gone upon reboot or restarting of VPN server.
    I didn't try notepad++ thou, just the windows notepad and ctrl+shift+v just to be sure no formatting is pasted.
    Yea noticed this on 384.15.

    Yup if reboot and export a fresh .ovpn only the Server Certificate is mismatched.
    Beats me on why I can still connect no problem thou.
     
    martinr likes this.
  5. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,474
    Location:
    Manchester, United Kingdom
    I’ll try to repeat the troubleshooting you’ve done tonight to see if it makes any more sense.

    It makes me believe this certificate mismatch has been there for a while but it’s only on 384.15 that it’s now being reported. I can’t see that the firmware upgrade caused some kind of mutation into, of all things, the server certificate. That would be credible if OpenVPN suddenly had stopped working after the upgrade. But, because OpenVPN still works perfectly, I believe the 384.15 upgrade has not caused the problem; it’s just now bringing it to light.

    But it makes me wonder: if OpenVPN still works with a faulty server certificate what else might be flawed? I am tempted to insert an extra character into other certificates and keys to be satisfied that causes a failure to connect.

    My meagre understanding of PKI is not deep enough to know at what stage the server certificate comes into play except that at some stage communication between the client and the server should grind to a halt because it appears the client is connecting to a different server than the one it had intended.
     
  6. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,474
    Location:
    Manchester, United Kingdom
    I've had a look at the the .ovpn file as well as the Server Certificate in the Advanced Settings; however, my PKI knowledge is just not good enough to know whether it's right or wrong. But this is very reminiscent of the "error" message some of us saw in the previous firmware: we got a swirling circle and the message about initialising the settings of OpenVPN Server... Everything worked perfectly though.

    https://www.snbforums.com/threads/stuck-on-export-openvpn-configuration-file.29103/#post-543227

    So in every respect, other than the wording of the message, this glitch is identical to the previous, spurious one.

    So my guess is that nothing at all is wrong; that those certificates aren't the same (ie not supposed to be the same) and that we again have a spurious error message that goes away when the server is stopped and restarted (only to return later) and can, and should, be ignored.

    I wonder if @elorimer and @CaptainSTX , who similarly had the erstwhile spinning circle, are now seeing this new message in place of the old one:
    "Certification Authentication / Server certification / Server Key field error! Please check the Keys and Certification contents on the Advanced Settings page."

    So, because OpenVPN Server is working perfectly in every other respect, I believe this message is just as spurious as the previous one was and should be ignored. Sometimes it pays not to poke around in the webui, I guess.
     
  7. CaptainSTX

    CaptainSTX Part of the Furniture

    Joined:
    May 2, 2012
    Messages:
    2,489
    I see exactly the same message. The spinning wheel is gone and and there are still some entries in the log pertaining to the open VPN server but maybe not as many as before. I connect to my open VPN server most every day when I'm out of the house and it works fine.

    I have considered removing the reinstalling the server but that would mean importing the new certificate for five devices and since it work fine I choose to just ignore the message.
     
    martinr likes this.