If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

VPN fails to connect and loop with new certificate files

RESOLVED FIXED

Status

Infrastructure & Operations
Mozilla VPN: Support requests
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: ybon, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
It's certainly me that has not done it correctly, but I've been suggested by service desk to open an issue, so here it is. :)

What I've done:

- went to https://login.mozilla.com/ and clicked "Revoke and Regenerate Certificate"
- downloaded new files
- replaced ca.crt and ta.key in my MozillaVPN folder
- replaced ca.crt, cert.crt, config.conf, key.key and ta.key in MozillaVPN.tblk/Contents/Resources
- ran the VPN from command line: cd /etc/openvpn/MozillaVPN && sudo openvpn --config MozillaVPN.ovpn --script-security 2

What I get:

Mon Jun 30 13:13:34 2014 DEPRECATED OPTION: --tls-remote, please update your configuration
Mon Jun 30 13:13:34 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Enter Auth Username:yboniface@mozilla.com
Enter Auth Password:
Mon Jun 30 13:13:42 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 13:13:42 2014 Control Channel Authentication: using 'private/ta.key' as a OpenVPN static key file
Mon Jun 30 13:13:42 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 13:13:42 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 13:13:42 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jun 30 13:13:42 2014 UDPv4 link local: [undef]
Mon Jun 30 13:13:42 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 13:13:42 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=7e516b3d 61bca429
Mon Jun 30 13:13:42 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 30 13:13:43 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 Validating certificate extended key usage
Mon Jun 30 13:13:43 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 13:13:43 2014 VERIFY EKU OK
Mon Jun 30 13:13:43 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:16 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting
Mon Jun 30 13:14:16 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jun 30 13:14:16 2014 Restart pause, 2 second(s)
Mon Jun 30 13:14:18 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 13:14:18 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 13:14:18 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:1194 [nonblock]
Mon Jun 30 13:14:19 2014 TCP connection established with [AF_INET]63.245.214.137:1194
Mon Jun 30 13:14:19 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 13:14:19 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 13:14:19 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=f6be5e62 97eb1a2c
Mon Jun 30 13:14:23 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 Validating certificate extended key usage
Mon Jun 30 13:14:23 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 13:14:23 2014 VERIFY EKU OK
Mon Jun 30 13:14:23 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:28 2014 Connection reset, restarting [0]
Mon Jun 30 13:14:28 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 13:14:28 2014 Restart pause, 5 second(s)

And then looping trying to connect.


VPN was working last time I needed it, which was around June 15th.

Thanks for your help!
I can confirm this exact same behavior happening to me:

Mon Jun 30 12:25:14 2014 DEPRECATED OPTION: --tls-remote, please update your configuration
Mon Jun 30 12:25:14 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Mon Jun 30 12:25:14 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:25:14 2014 WARNING: file '/etc/openvpn/private/ta.key' is group or others accessible
Mon Jun 30 12:25:14 2014 Control Channel Authentication: using '/etc/openvpn/private/ta.key' as a OpenVPN static key file
Mon Jun 30 12:25:14 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 12:25:14 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 12:25:14 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jun 30 12:25:14 2014 UDPv4 link local: [undef]
Mon Jun 30 12:25:14 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 12:25:14 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=a3386b26 c0fa1641
Mon Jun 30 12:25:14 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 30 12:25:17 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 Validating certificate extended key usage
Mon Jun 30 12:25:17 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:25:17 2014 VERIFY EKU OK
Mon Jun 30 12:25:17 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:49 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting
Mon Jun 30 12:25:49 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jun 30 12:25:49 2014 Restart pause, 2 second(s)
Mon Jun 30 12:25:51 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:25:51 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 12:25:51 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:1194 [nonblock]
Mon Jun 30 12:25:52 2014 TCP connection established with [AF_INET]63.245.214.137:1194
Mon Jun 30 12:25:52 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 12:25:52 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 12:25:53 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=7a3393ea fe51609c
Mon Jun 30 12:26:00 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 Validating certificate extended key usage
Mon Jun 30 12:26:00 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:00 2014 VERIFY EKU OK
Mon Jun 30 12:26:00 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:08 2014 Connection reset, restarting [0]
Mon Jun 30 12:26:08 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 12:26:08 2014 Restart pause, 5 second(s)
Mon Jun 30 12:26:13 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:26:13 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 12:26:13 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:443 [nonblock]
Mon Jun 30 12:26:14 2014 TCP connection established with [AF_INET]63.245.214.137:443
Mon Jun 30 12:26:14 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 12:26:14 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:443
Mon Jun 30 12:26:14 2014 TLS: Initial packet from [AF_INET]63.245.214.137:443, sid=ed2d221a 4f152ba4
Mon Jun 30 12:26:21 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 Validating certificate extended key usage
Mon Jun 30 12:26:21 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:21 2014 VERIFY EKU OK
Mon Jun 30 12:26:21 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:30 2014 Connection reset, restarting [0]
Mon Jun 30 12:26:30 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 12:26:30 2014 Restart pause, 5 second(s)
Mon Jun 30 12:26:35 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:26:35 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 12:26:35 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:80 [nonblock]
Mon Jun 30 12:26:36 2014 TCP connection established with [AF_INET]63.245.214.137:80
Mon Jun 30 12:26:36 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 12:26:36 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:80
Mon Jun 30 12:26:36 2014 TLS: Initial packet from [AF_INET]63.245.214.137:80, sid=767303b1 1eb8ea22
Mon Jun 30 12:26:41 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 Validating certificate extended key usage
Mon Jun 30 12:26:41 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:41 2014 VERIFY EKU OK
Mon Jun 30 12:26:41 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:47 2014 Connection reset, restarting [0]
Mon Jun 30 12:26:47 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 12:26:47 2014 Restart pause, 5 second(s)
Mon Jun 30 12:26:52 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:26:52 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jun 30 12:26:53 2014 UDPv4 link local: [undef]
Mon Jun 30 12:26:53 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 12:26:53 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=cccaa3cc c580d006
Mon Jun 30 12:26:54 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 Validating certificate extended key usage
Mon Jun 30 12:26:54 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:54 2014 VERIFY EKU OK
Mon Jun 30 12:26:54 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:27:26 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting
Mon Jun 30 12:27:26 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jun 30 12:27:26 2014 Restart pause, 2 second(s)
...
(and over and over)

Comment 2

3 years ago
It sounds like you've just replaced the certificates, but kept the old configuration. While this should be a valid approach, just for troubleshooting purposes, could you try downloading the configuration bundle from login.mozilla.com and point the openvpn client at the config.conf in it as-is?

If this works, then it's possible some other option has changed (I think the tls-remote option has been deprecated, possibly other changes), so diffing Mozilla.ovpn and the new config.conf could give a hint.
(Reporter)

Comment 3

3 years ago
Thanks, that worked!

1. download the "Certificate" bundle
2. edit config.conf file
3. add those three lines at the end of the file

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

4. Then run the command line with this config file: 

sudo openvpn --config config.conf

5. Remove useless old files (previous bundle)

Thanks again!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Same here, works correctly, thanks!
You need to log in before you can comment on or make changes to this bug.