OpenVPN W10 sslv3 alert certificate expired

patrickmkt · April 4, 2020, 12:13am

Recently I could not connect anymore to any of my routers from my Win 10 OpenVPN.

I got on the Windows10 OpenVPN log: OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
On the router I got a an error: duplicate packet, dropping.

All my routers are configured with a master CA, a sub CA for each router, and a set of certificates under the sub CA for the router and different clients. All CA have a CRL path defined in their certs.
All the CA, sub CA, clients and server certs are still within their validity period and the crl of both CA are also current.
I checked on the windows client that the CA, sub CA and clients have a valid chain of trust and the current crl for both CA are also current.
On the routers I have also both CA and subCA shown as T(rusted) with also a valid crl (shown as -D in certificate crl print with proper date).

I tried also to connect from Mikrotik to Mikrotik with ovpn without success.
I tried an iOS OpenVPN connection that was working previously but not anymore.

I can still log to the router via a backup ikeV2 remote access that I had fortunately setup.

But I am dumbfounded by this Openvpn problem. Was there some changes recently on the OpenVPN implementation in RouterOS that could explain this problem? Any pointers what to look for to solve my problem?

patrickmkt · April 9, 2020, 5:42pm

just as a side note, the certificates for the ikev2 login are the same than the ones I am using for ovpn !!!

patrickmkt · April 18, 2020, 4:20pm

When the Mikrotik ovpn server “require client certificate” is unchecked, I can remotely connect. When it is checked, then I got on my client the certificate expired notification.

Why the Mikrotik implementation of ovpn is finding the certificate as expired is still a mystery.

The certs are valid and the CRL are shown as properly downloaded too.

When connecting with the same certs via ikev2, there is no expiration problem.

Nobody has a clue how to fix this problem?
Was there a change on the ovpn certificate verification in the latest release?
Am I the only one to see that issue?

patrickmkt · April 27, 2020, 12:38am

Nobody to give a hand to help me find the problem?
I don’t know what else to look for.
Am I the only one with this problem? Is is a new bug in the latest stable ROS versions?

mutluit · April 27, 2020, 12:48am

FYI: it’s weekend, nobody working…
Oops, sorry, just saw: you have this problem since April 4…
Hmm. you better should contact the technical support: https://help.mikrotik.com/servicedesk/customer/user/login?destination=portals

patrickmkt · June 4, 2020, 9:00pm

The update to 6.47 fixed my problem. I can again connect remotely via OVPN with certificates.