Closed
Bug 1032141
Opened 10 years ago
Closed 10 years ago
VPN fails to connect and loop with new certificate files
Categories
(Infrastructure & Operations :: Corporate VPN: Support requests, task)
Infrastructure & Operations
Corporate VPN: Support requests
x86_64
Linux
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: yboniface, Unassigned)
Details
It's certainly me that has not done it correctly, but I've been suggested by service desk to open an issue, so here it is. :) What I've done: - went to https://login.mozilla.com/ and clicked "Revoke and Regenerate Certificate" - downloaded new files - replaced ca.crt and ta.key in my MozillaVPN folder - replaced ca.crt, cert.crt, config.conf, key.key and ta.key in MozillaVPN.tblk/Contents/Resources - ran the VPN from command line: cd /etc/openvpn/MozillaVPN && sudo openvpn --config MozillaVPN.ovpn --script-security 2 What I get: Mon Jun 30 13:13:34 2014 DEPRECATED OPTION: --tls-remote, please update your configuration Mon Jun 30 13:13:34 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 Enter Auth Username:yboniface@mozilla.com Enter Auth Password: Mon Jun 30 13:13:42 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 13:13:42 2014 Control Channel Authentication: using 'private/ta.key' as a OpenVPN static key file Mon Jun 30 13:13:42 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jun 30 13:13:42 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jun 30 13:13:42 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Mon Jun 30 13:13:42 2014 UDPv4 link local: [undef] Mon Jun 30 13:13:42 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194 Mon Jun 30 13:13:42 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=7e516b3d 61bca429 Mon Jun 30 13:13:42 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mon Jun 30 13:13:43 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:13:43 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:13:43 2014 Validating certificate extended key usage Mon Jun 30 13:13:43 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 13:13:43 2014 VERIFY EKU OK Mon Jun 30 13:13:43 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:13:43 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:13:43 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:14:16 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting Mon Jun 30 13:14:16 2014 SIGUSR1[soft,ping-restart] received, process restarting Mon Jun 30 13:14:16 2014 Restart pause, 2 second(s) Mon Jun 30 13:14:18 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 13:14:18 2014 Socket Buffers: R=[87380->131072] S=[16384->131072] Mon Jun 30 13:14:18 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:1194 [nonblock] Mon Jun 30 13:14:19 2014 TCP connection established with [AF_INET]63.245.214.137:1194 Mon Jun 30 13:14:19 2014 TCPv4_CLIENT link local: [undef] Mon Jun 30 13:14:19 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:1194 Mon Jun 30 13:14:19 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=f6be5e62 97eb1a2c Mon Jun 30 13:14:23 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:14:23 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:14:23 2014 Validating certificate extended key usage Mon Jun 30 13:14:23 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 13:14:23 2014 VERIFY EKU OK Mon Jun 30 13:14:23 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:14:23 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:14:23 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 13:14:28 2014 Connection reset, restarting [0] Mon Jun 30 13:14:28 2014 SIGUSR1[soft,connection-reset] received, process restarting Mon Jun 30 13:14:28 2014 Restart pause, 5 second(s) And then looping trying to connect. VPN was working last time I needed it, which was around June 15th. Thanks for your help!
Comment 1•10 years ago
|
||
I can confirm this exact same behavior happening to me: Mon Jun 30 12:25:14 2014 DEPRECATED OPTION: --tls-remote, please update your configuration Mon Jun 30 12:25:14 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 Mon Jun 30 12:25:14 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 12:25:14 2014 WARNING: file '/etc/openvpn/private/ta.key' is group or others accessible Mon Jun 30 12:25:14 2014 Control Channel Authentication: using '/etc/openvpn/private/ta.key' as a OpenVPN static key file Mon Jun 30 12:25:14 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jun 30 12:25:14 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jun 30 12:25:14 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Mon Jun 30 12:25:14 2014 UDPv4 link local: [undef] Mon Jun 30 12:25:14 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194 Mon Jun 30 12:25:14 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=a3386b26 c0fa1641 Mon Jun 30 12:25:14 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mon Jun 30 12:25:17 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:25:17 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:25:17 2014 Validating certificate extended key usage Mon Jun 30 12:25:17 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 12:25:17 2014 VERIFY EKU OK Mon Jun 30 12:25:17 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:25:17 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:25:17 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:25:49 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting Mon Jun 30 12:25:49 2014 SIGUSR1[soft,ping-restart] received, process restarting Mon Jun 30 12:25:49 2014 Restart pause, 2 second(s) Mon Jun 30 12:25:51 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 12:25:51 2014 Socket Buffers: R=[87380->131072] S=[16384->131072] Mon Jun 30 12:25:51 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:1194 [nonblock] Mon Jun 30 12:25:52 2014 TCP connection established with [AF_INET]63.245.214.137:1194 Mon Jun 30 12:25:52 2014 TCPv4_CLIENT link local: [undef] Mon Jun 30 12:25:52 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:1194 Mon Jun 30 12:25:53 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=7a3393ea fe51609c Mon Jun 30 12:26:00 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:00 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:00 2014 Validating certificate extended key usage Mon Jun 30 12:26:00 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 12:26:00 2014 VERIFY EKU OK Mon Jun 30 12:26:00 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:00 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:00 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:08 2014 Connection reset, restarting [0] Mon Jun 30 12:26:08 2014 SIGUSR1[soft,connection-reset] received, process restarting Mon Jun 30 12:26:08 2014 Restart pause, 5 second(s) Mon Jun 30 12:26:13 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 12:26:13 2014 Socket Buffers: R=[87380->131072] S=[16384->131072] Mon Jun 30 12:26:13 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:443 [nonblock] Mon Jun 30 12:26:14 2014 TCP connection established with [AF_INET]63.245.214.137:443 Mon Jun 30 12:26:14 2014 TCPv4_CLIENT link local: [undef] Mon Jun 30 12:26:14 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:443 Mon Jun 30 12:26:14 2014 TLS: Initial packet from [AF_INET]63.245.214.137:443, sid=ed2d221a 4f152ba4 Mon Jun 30 12:26:21 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:21 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:21 2014 Validating certificate extended key usage Mon Jun 30 12:26:21 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 12:26:21 2014 VERIFY EKU OK Mon Jun 30 12:26:21 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:21 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:21 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:30 2014 Connection reset, restarting [0] Mon Jun 30 12:26:30 2014 SIGUSR1[soft,connection-reset] received, process restarting Mon Jun 30 12:26:30 2014 Restart pause, 5 second(s) Mon Jun 30 12:26:35 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 12:26:35 2014 Socket Buffers: R=[87380->131072] S=[16384->131072] Mon Jun 30 12:26:35 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:80 [nonblock] Mon Jun 30 12:26:36 2014 TCP connection established with [AF_INET]63.245.214.137:80 Mon Jun 30 12:26:36 2014 TCPv4_CLIENT link local: [undef] Mon Jun 30 12:26:36 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:80 Mon Jun 30 12:26:36 2014 TLS: Initial packet from [AF_INET]63.245.214.137:80, sid=767303b1 1eb8ea22 Mon Jun 30 12:26:41 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:41 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:41 2014 Validating certificate extended key usage Mon Jun 30 12:26:41 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 12:26:41 2014 VERIFY EKU OK Mon Jun 30 12:26:41 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:41 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:41 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:47 2014 Connection reset, restarting [0] Mon Jun 30 12:26:47 2014 SIGUSR1[soft,connection-reset] received, process restarting Mon Jun 30 12:26:47 2014 Restart pause, 5 second(s) Mon Jun 30 12:26:52 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jun 30 12:26:52 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Mon Jun 30 12:26:53 2014 UDPv4 link local: [undef] Mon Jun 30 12:26:53 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194 Mon Jun 30 12:26:53 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=cccaa3cc c580d006 Mon Jun 30 12:26:54 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:54 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:54 2014 Validating certificate extended key usage Mon Jun 30 12:26:54 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Jun 30 12:26:54 2014 VERIFY EKU OK Mon Jun 30 12:26:54 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:54 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:26:54 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com Mon Jun 30 12:27:26 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting Mon Jun 30 12:27:26 2014 SIGUSR1[soft,ping-restart] received, process restarting Mon Jun 30 12:27:26 2014 Restart pause, 2 second(s) ... (and over and over)
Comment 2•10 years ago
|
||
It sounds like you've just replaced the certificates, but kept the old configuration. While this should be a valid approach, just for troubleshooting purposes, could you try downloading the configuration bundle from login.mozilla.com and point the openvpn client at the config.conf in it as-is? If this works, then it's possible some other option has changed (I think the tls-remote option has been deprecated, possibly other changes), so diffing Mozilla.ovpn and the new config.conf could give a hint.
Reporter | ||
Comment 3•10 years ago
|
||
Thanks, that worked! 1. download the "Certificate" bundle 2. edit config.conf file 3. add those three lines at the end of the file script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf 4. Then run the command line with this config file: sudo openvpn --config config.conf 5. Remove useless old files (previous bundle) Thanks again!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 4•10 years ago
|
||
Same here, works correctly, thanks!
You need to log in
before you can comment on or make changes to this bug.
Description
•