Community discussions

MikroTik App
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

OpenVPN client reports expired certificate even it is valid almost 10 years

Thu Dec 22, 2016 3:57 pm

Hello,

after some time of valid OpenVPN configuration on Mikrotik CCR1009-8G-1S, v6.37.1 I can't connect.
OpenVPN reports expired certificate:

Thu Dec 22 13:16:44 2016 us=973237 VERIFY OK: depth=0, C=SK, ST=SK, L=<L>, O=<Org>, CN=<IP>
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Thu Dec 22 13:16:45 2016 us=67242 TLS_ERROR: BIO read tls_read_plaintext error
Thu Dec 22 13:16:45 2016 us=67242 TLS Error: TLS object -> incoming plaintext read error
Thu Dec 22 13:16:45 2016 us=67242 TLS Error: TLS handshake failed
Thu Dec 22 13:16:45 2016 us=68242 Fatal TLS error (check_tls_errors_co), restarting
Thu Dec 22 13:16:45 2016 us=68242 TCP/UDP: Closing socket

CA and server certificates are valid. Tried to set the same certificate for HTTPS and it was valid.

Any suggestions?

Thanks.
 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Thu Dec 22, 2016 9:25 pm

Hello,

after some time of valid OpenVPN configuration on Mikrotik CCR1009-8G-1S, v6.37.1 I can't connect.
OpenVPN reports expired certificate:

...

CA and server certificates are valid. Tried to set the same certificate for HTTPS and it was valid.

Any suggestions?

Thanks.
I know is basic, but have You checked the device date? Unlike PCs, these routers doesn't keep time between reboots - they get it through NTP each time.
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Fri Dec 23, 2016 4:57 pm

Thank you for reminder, however it was first thing I checked. It was approx. 4 mins ahead, but after correcting nothing changed.
I switched off client certificate authentication and voila, connection was established. So now I'm completely confused whats wrong.
I thought that server certificate was (by my opinion incorrectly) reported as expired.
But when no client certificate is taken into authentication, what was expired. Client certificate valid.
Of course, I want to use client certificate authentication.
 
User avatar
zipvault
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Fri Dec 23, 2016 9:33 pm

10 years is a long time

Maybe time to update cert?

I know server cert could expire?

You can check expiration with this:

$ echo | openssl s_client -connect urlhere
ZipVault
 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Sat Dec 24, 2016 2:58 am

Is the client certificate signed by the same CA that issued the server certificate?
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Sat Dec 24, 2016 9:00 am

10 years is a long time

Maybe time to update cert?

I know server cert could expire?

You can check expiration with this:

$ echo | openssl s_client -connect urlhere
Almost 10 years server cert and ca cert WILL be valid.
You can't connect to OpenVPN server with openssl to get cert., since it is TLS wrapped inside OpenVPN protocol.
Or, openssl s_client -connect server:port gets SSL23_GET_SERVER_HELLO:unknown protocol
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Sat Dec 24, 2016 9:02 am

Is the client certificate signed by the same CA that issued the server certificate?
Yes, it is signed with the same CA. It was working several days ago, now it stopped.
But I double checked all certs and they are valid and signed with that CA.
 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Sat Dec 24, 2016 12:36 pm

Yes, it is signed with the same CA. It was working several days ago, now it stopped.
But I double checked all certs and they are valid and signed with that CA.
Weird. I thought it was a wrong error message, but... Ok.

1) The server is a CCR. What is the client?
2) What changed when it stopped working? New RouterOS version? New client version? Some configuration change? Windows update? There must be something.
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Sun Dec 25, 2016 11:04 am

Yes, it is signed with the same CA. It was working several days ago, now it stopped.
But I double checked all certs and they are valid and signed with that CA.
Weird. I thought it was a wrong error message, but... Ok.

1) The server is a CCR. What is the client?
2) What changed when it stopped working? New RouterOS version? New client version? Some configuration change? Windows update? There must be something.
1) Client is OpenVPN Windows client.
2) We use similar Mikrotik router with the same configuration for our company and I can connect with the same client. It stopped working for all clients which are connecting there. There was Mikrotik v6.37.1 firmware, I updated it to the most recent, but it didn't helped.
I'm confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn't allow it.
 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Sun Dec 25, 2016 7:52 pm

I am using the same config: OpenVpn Mikrotik server (1100AHx2) with windows, Linux and routeros clients. The server is using the 6.37.1 version, and it verifies the client cert too.

Could it be something with Windows? Some update? If the certificates are really valid, signed AND the time on the server is ok... I don't know what could it be.
 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Tue Dec 27, 2016 3:53 pm

I'm confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn't allow it.
Just got an idea: the server certificate is valid. But how about the CA certificate? Maybe your server cert is ok, but the CA cert isn't. When You ask to validate the client certificate the system finds out that the CA is no longer valid and complains.
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Wed Dec 28, 2016 6:15 pm

I'm confused which cert. is reported as expired. By logs, it should be server cert. But how it can work when I switch off client cert authentication? Server cert reported expiration wouldn't allow it.
Just got an idea: the server certificate is valid. But how about the CA certificate? Maybe your server cert is ok, but the CA cert isn't. When You ask to validate the client certificate the system finds out that the CA is no longer valid and complains.
I switch off client certificate authentication and it started worked again, as I wrote here. So if CA cert wasn't valid (it is also the part of client config), I think I couldn't connect anyway.
CA is also OK, I tried to add it as a root CA to my client and opened server and client cert, which both were valid in my client environment without any untrusted issues (date, chain).
I connect to other OpenVPN servers (one is Mikrotik aswell) and even client cert authentication works without any problems. Problem is only with one described Mikrotik.
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Thu Dec 29, 2016 3:56 pm

Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Mon Jan 09, 2017 1:01 pm

Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
I printed all certificates with "certificate print". Only removed fingerprint and changed IP address and company name with <...text...>.
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME            COMMON-NAME            SUBJECT-ALT-NAME
 0 K L A  T CA              <company name>
 1 K    I   SERVER          <public IP address>
 2          CLIENT-tpl      vpnuser
 3 K    I   vpnuser01       vpnuser01
 4 K    I   vpnuser02       vpnuser02
 5 K    I   vpnuser03       vpnuser03
 6 K    I   vpnuser04       vpnuser04
 7 K    I   vpnuser05       vpnuser05
 8 K    I   vpnuser06       vpnuser06
 9 K    I   vpnuser07       vpnuser07
10 K    I   vpnuser08       vpnuser08
11 K    I   vpnuser09       vpnuser09
12 K    I   vpnuser10       vpnuser10
13 K    I   vpnuser11       vpnuser11
14 K    I   vpnuser12       vpnuser12
15 K    I   vpnuser13       vpnuser13
16 K    I   vpnuser14       vpnuser14
17 K    I   vpnuser15       vpnuser15
18 K    I   vpnuser16       vpnuser16
19 K    I   vpnuser17       vpnuser17
20 K    I   vpnuser18       vpnuser18
21 K    I   vpnuser19       vpnuser19
22 K    I   vpnuser20       vpnuser20
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Mon Jan 09, 2017 1:39 pm

No.
Comand certificate crl print
!!...
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
I printed all certificates with "certificate print". Only removed fingerprint and changed IP address and company name with <...text...>.
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME            COMMON-NAME            SUBJECT-ALT-NAME
 0 K L A  T CA              <company name>
 1 K    I   SERVER          <public IP address>
 2          CLIENT-tpl      vpnuser
 3 K    I   vpnuser01       vpnuser01
 4 K    I   vpnuser02       vpnuser02
 5 K    I   vpnuser03       vpnuser03
 6 K    I   vpnuser04       vpnuser04
 7 K    I   vpnuser05       vpnuser05
 8 K    I   vpnuser06       vpnuser06
 9 K    I   vpnuser07       vpnuser07
10 K    I   vpnuser08       vpnuser08
11 K    I   vpnuser09       vpnuser09
12 K    I   vpnuser10       vpnuser10
13 K    I   vpnuser11       vpnuser11
14 K    I   vpnuser12       vpnuser12
15 K    I   vpnuser13       vpnuser13
16 K    I   vpnuser14       vpnuser14
17 K    I   vpnuser15       vpnuser15
18 K    I   vpnuser16       vpnuser16
19 K    I   vpnuser17       vpnuser17
20 K    I   vpnuser18       vpnuser18
21 K    I   vpnuser19       vpnuser19
22 K    I   vpnuser20       vpnuser20
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Mon Jan 09, 2017 1:50 pm

No.
Comand certificate crl print
!!...
Thu Dec 22 13:16:45 2016 us=67242 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

See CRL settings in your root certificate and users! He expired!
NewTerminal.
>certificate crl print
E - expired
I printed all certificates with "certificate print". Only removed fingerprint and changed IP address and company name with <...text...>.
There are no expired certificates. CLIENT-tpl is template for new client certificate if needed.
Output:
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME            COMMON-NAME            SUBJECT-ALT-NAME
 0 K L A  T CA              <company name>
 1 K    I   SERVER          <public IP address>
 2          CLIENT-tpl      vpnuser
 3 K    I   vpnuser01       vpnuser01
 4 K    I   vpnuser02       vpnuser02
 5 K    I   vpnuser03       vpnuser03
 6 K    I   vpnuser04       vpnuser04
 7 K    I   vpnuser05       vpnuser05
 8 K    I   vpnuser06       vpnuser06
 9 K    I   vpnuser07       vpnuser07
10 K    I   vpnuser08       vpnuser08
11 K    I   vpnuser09       vpnuser09
12 K    I   vpnuser10       vpnuser10
13 K    I   vpnuser11       vpnuser11
14 K    I   vpnuser12       vpnuser12
15 K    I   vpnuser13       vpnuser13
16 K    I   vpnuser14       vpnuser14
17 K    I   vpnuser15       vpnuser15
18 K    I   vpnuser16       vpnuser16
19 K    I   vpnuser17       vpnuser17
20 K    I   vpnuser18       vpnuser18
21 K    I   vpnuser19       vpnuser19
22 K    I   vpnuser20       vpnuser20
No certificates are printed:
 #    CERT                                                               LAST-UPDATE                 NUM    REVOKED URL
 
ATROX
newbie
Posts: 45
Joined: Mon Oct 14, 2013 2:10 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Tue Jan 10, 2017 8:45 am

No certificates are printed:
 #    CERT                                                               LAST-UPDATE                 NUM    REVOKED URL
OK.
All right. Check CRL distribution point of root certificates and server and users.
And read this:
https://en.wikipedia.org/wiki/Certifica ... ation_list
 
Arek
just joined
Posts: 3
Joined: Fri Mar 03, 2017 1:14 am

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Fri Mar 03, 2017 1:35 am

@ipavlik

Hello,

I have the same problem. I upgraded version from 6.38.1 to 6.38.3 and now I can't connect via OpenVPN (also from Windows client and from Asus router client):
Thu Mar 02 23:35:20 2017 OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
Thu Mar 02 23:35:20 2017 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Thu Mar 02 23:35:20 2017 TLS_ERROR: BIO read tls_read_plaintext error
Thu Mar 02 23:35:20 2017 TLS Error: TLS object -> incoming plaintext read error
Thu Mar 02 23:35:20 2017 TLS Error: TLS handshake failed
Thu Mar 02 23:35:20 2017 Fatal TLS error (check_tls_errors_co), restarting
Thu Mar 02 23:35:20 2017 TCP/UDP: Closing socket
Thu Mar 02 23:35:20 2017 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 02 23:35:20 2017 MANAGEMENT: >STATE:1488494120,RECONNECTING,tls-error,,
Thu Mar 02 23:35:20 2017 Restart pause, 5 second(s)
CA is valid, server's certificate and client's are also valid (there are 10 years valid). When I am turning off client certificate validation, everything work.

I've downgrade to 6.38.1 but not help. The same problem. Maybe someone help me?
 
Arek
just joined
Posts: 3
Joined: Fri Mar 03, 2017 1:14 am

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Tue Mar 21, 2017 1:27 pm

I've tried generate new 10 years certificates (CA, server and client) from Mikrotik 6.38.5 but without success (the same problem during connection). Anybody has the same issues?
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Tue Mar 21, 2017 1:54 pm

Currently I don't have solution and I'm using authentication without client certificates.
 
Arek
just joined
Posts: 3
Joined: Fri Mar 03, 2017 1:14 am

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Wed Mar 29, 2017 6:26 pm

I've get answer from Support Team:
Hello,

You have generated certificates with wrong CRL address.
ca-crl-host="127.0.0.1"

Of coures client will not be able to validate certificate because it cannot get CRL from 127.0.0.1

Best regards,
Maris

--
MikroTik.com
Now everything is OK.
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Wed May 03, 2017 8:51 am

It's not my case, I'm using public IP address as the certificate subject.
I've get answer from Support Team:
Hello,

You have generated certificates with wrong CRL address.
ca-crl-host="127.0.0.1"

Of coures client will not be able to validate certificate because it cannot get CRL from 127.0.0.1

Best regards,
Maris

--
MikroTik.com
Now everything is OK.
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Wed May 03, 2017 8:55 am

The same issue occurred on different router after upgrading from 6.38.5 to 6.39.
But I don't think upgrade affected this issue.
After disabling client cert. authentication on router, I can connect.
Really strange, because handshake fails with server cert only when client cert. authentication is enabled.
Upgrading client to 2.4.1 didn't help.
 
ipavlik
just joined
Topic Author
Posts: 16
Joined: Thu Dec 22, 2016 3:47 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Wed May 03, 2017 9:42 am

So I revoked client certificate on the router and it was reported as revoked instead of expired.
So error handshake error was reported with client cert, not server (log is quite confusing I think).
However, revoked client certificate was valid until the end of may, don't understand why it was reported as expired.
On first router, there are client certificates valid almost 10 years to the future and they are reported as expired.
Generated new client certificate for next 10 years, works well (but maybe to next month :( ).
 
harambasha
just joined
Posts: 1
Joined: Tue Jun 20, 2017 6:38 pm

Re: OpenVPN client reports expired certificate even it is valid almost 10 years

Tue Jun 20, 2017 6:47 pm

Same problem here. It occurred after power failure. Suddenly no one could connect on OpenVPN server after power come back. But when I disable client certificate authentication i started to work.
So, is there solution? How to revoke all certificates and start again? Or is there something better, that i missed

Who is online

Users browsing this forum: robsgax, sindy and 96 guests