I know is basic, but have You checked the device date? Unlike PCs, these routers doesn’t keep time between reboots - they get it through NTP each time.
Thank you for reminder, however it was first thing I checked. It was approx. 4 mins ahead, but after correcting nothing changed.
I switched off client certificate authentication and voila, connection was established. So now I’m completely confused whats wrong.
I thought that server certificate was (by my opinion incorrectly) reported as expired.
But when no client certificate is taken into authentication, what was expired. Client certificate valid.
Of course, I want to use client certificate authentication.
Almost 10 years server cert and ca cert WILL be valid.
You can’t connect to OpenVPN server with openssl to get cert., since it is TLS wrapped inside OpenVPN protocol.
Or, openssl s_client -connect server:port gets SSL23_GET_SERVER_HELLO:unknown protocol
Yes, it is signed with the same CA. It was working several days ago, now it stopped.
But I double checked all certs and they are valid and signed with that CA.
We use similar Mikrotik router with the same configuration for our company and I can connect with the same client. It stopped working for all clients which are connecting there. There was Mikrotik v6.37.1 firmware, I updated it to the most recent, but it didn’t helped.
I’m confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn’t allow it.
I am using the same config: OpenVpn Mikrotik server (1100AHx2) with windows, Linux and routeros clients. The server is using the 6.37.1 version, and it verifies the client cert too.
Could it be something with Windows? Some update? If the certificates are really valid, signed AND the time on the server is ok… I don’t know what could it be.
Just got an idea: the server certificate is valid. But how about the CA certificate? Maybe your server cert is ok, but the CA cert isn’t. When You ask to validate the client certificate the system finds out that the CA is no longer valid and complains.
I switch off client certificate authentication and it started worked again, as I wrote here. So if CA cert wasn’t valid (it is also the part of client config), I think I couldn’t connect anyway.
CA is also OK, I tried to add it as a root CA to my client and opened server and client cert, which both were valid in my client environment without any untrusted issues (date, chain).
I connect to other OpenVPN servers (one is Mikrotik aswell) and even client cert authentication works without any problems. Problem is only with one described Mikrotik.
I printed all certificates with “certificate print”. Only removed fingerprint and changed IP address and company name with <…text…>.
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
0 K L A T CA <company name>
1 K I SERVER <public IP address>
2 CLIENT-tpl vpnuser
3 K I vpnuser01 vpnuser01
4 K I vpnuser02 vpnuser02
5 K I vpnuser03 vpnuser03
6 K I vpnuser04 vpnuser04
7 K I vpnuser05 vpnuser05
8 K I vpnuser06 vpnuser06
9 K I vpnuser07 vpnuser07
10 K I vpnuser08 vpnuser08
11 K I vpnuser09 vpnuser09
12 K I vpnuser10 vpnuser10
13 K I vpnuser11 vpnuser11
14 K I vpnuser12 vpnuser12
15 K I vpnuser13 vpnuser13
16 K I vpnuser14 vpnuser14
17 K I vpnuser15 vpnuser15
18 K I vpnuser16 vpnuser16
19 K I vpnuser17 vpnuser17
20 K I vpnuser18 vpnuser18
21 K I vpnuser19 vpnuser19
22 K I vpnuser20 vpnuser20
I have the same problem. I upgraded version from 6.38.1 to 6.38.3 and now I can’t connect via OpenVPN (also from Windows client and from Asus router client):
Thu Mar 02 23:35:20 2017 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
Thu Mar 02 23:35:20 2017 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Thu Mar 02 23:35:20 2017 TLS_ERROR: BIO read tls_read_plaintext error
Thu Mar 02 23:35:20 2017 TLS Error: TLS object -> incoming plaintext read error
Thu Mar 02 23:35:20 2017 TLS Error: TLS handshake failed
Thu Mar 02 23:35:20 2017 Fatal TLS error (check_tls_errors_co), restarting
Thu Mar 02 23:35:20 2017 TCP/UDP: Closing socket
Thu Mar 02 23:35:20 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 02 23:35:20 2017 MANAGEMENT: >STATE:1488494120,RECONNECTING,tls-error,,
Thu Mar 02 23:35:20 2017 Restart pause, 5 second(s)
CA is valid, server’s certificate and client’s are also valid (there are 10 years valid). When I am turning off client certificate validation, everything work.
I’ve downgrade to 6.38.1 but not help. The same problem. Maybe someone help me?
I’ve tried generate new 10 years certificates (CA, server and client) from Mikrotik 6.38.5 but without success (the same problem during connection). Anybody has the same issues?