Closed Bug 1032141 Opened 10 years ago Closed 10 years ago

VPN fails to connect and loop with new certificate files

Categories

(Infrastructure & Operations :: Corporate VPN: Support requests, task)

Product:
Infrastructure & Operations
Component:
Corporate VPN: Support requests
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: yboniface, Unassigned)

Details

It's certainly me that has not done it correctly, but I've been suggested by service desk to open an issue, so here it is. :)

What I've done:

- went to https://login.mozilla.com/ and clicked "Revoke and Regenerate Certificate"
- downloaded new files
- replaced ca.crt and ta.key in my MozillaVPN folder
- replaced ca.crt, cert.crt, config.conf, key.key and ta.key in MozillaVPN.tblk/Contents/Resources
- ran the VPN from command line: cd /etc/openvpn/MozillaVPN && sudo openvpn --config MozillaVPN.ovpn --script-security 2

What I get:

Mon Jun 30 13:13:34 2014 DEPRECATED OPTION: --tls-remote, please update your configuration
Mon Jun 30 13:13:34 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Enter Auth Username:yboniface@mozilla.com
Enter Auth Password:
Mon Jun 30 13:13:42 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 13:13:42 2014 Control Channel Authentication: using 'private/ta.key' as a OpenVPN static key file
Mon Jun 30 13:13:42 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 13:13:42 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 13:13:42 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jun 30 13:13:42 2014 UDPv4 link local: [undef]
Mon Jun 30 13:13:42 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 13:13:42 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=7e516b3d 61bca429
Mon Jun 30 13:13:42 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 30 13:13:43 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 Validating certificate extended key usage
Mon Jun 30 13:13:43 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 13:13:43 2014 VERIFY EKU OK
Mon Jun 30 13:13:43 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:13:43 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:16 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting
Mon Jun 30 13:14:16 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jun 30 13:14:16 2014 Restart pause, 2 second(s)
Mon Jun 30 13:14:18 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 13:14:18 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 13:14:18 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:1194 [nonblock]
Mon Jun 30 13:14:19 2014 TCP connection established with [AF_INET]63.245.214.137:1194
Mon Jun 30 13:14:19 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 13:14:19 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 13:14:19 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=f6be5e62 97eb1a2c
Mon Jun 30 13:14:23 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 Validating certificate extended key usage
Mon Jun 30 13:14:23 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 13:14:23 2014 VERIFY EKU OK
Mon Jun 30 13:14:23 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:23 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 13:14:28 2014 Connection reset, restarting [0]
Mon Jun 30 13:14:28 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 13:14:28 2014 Restart pause, 5 second(s)

And then looping trying to connect.


VPN was working last time I needed it, which was around June 15th.

Thanks for your help!
I can confirm this exact same behavior happening to me:

Mon Jun 30 12:25:14 2014 DEPRECATED OPTION: --tls-remote, please update your configuration
Mon Jun 30 12:25:14 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Mon Jun 30 12:25:14 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:25:14 2014 WARNING: file '/etc/openvpn/private/ta.key' is group or others accessible
Mon Jun 30 12:25:14 2014 Control Channel Authentication: using '/etc/openvpn/private/ta.key' as a OpenVPN static key file
Mon Jun 30 12:25:14 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 12:25:14 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 30 12:25:14 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jun 30 12:25:14 2014 UDPv4 link local: [undef]
Mon Jun 30 12:25:14 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 12:25:14 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=a3386b26 c0fa1641
Mon Jun 30 12:25:14 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 30 12:25:17 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 Validating certificate extended key usage
Mon Jun 30 12:25:17 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:25:17 2014 VERIFY EKU OK
Mon Jun 30 12:25:17 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:17 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:25:49 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting
Mon Jun 30 12:25:49 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jun 30 12:25:49 2014 Restart pause, 2 second(s)
Mon Jun 30 12:25:51 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:25:51 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 12:25:51 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:1194 [nonblock]
Mon Jun 30 12:25:52 2014 TCP connection established with [AF_INET]63.245.214.137:1194
Mon Jun 30 12:25:52 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 12:25:52 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 12:25:53 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=7a3393ea fe51609c
Mon Jun 30 12:26:00 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 Validating certificate extended key usage
Mon Jun 30 12:26:00 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:00 2014 VERIFY EKU OK
Mon Jun 30 12:26:00 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:00 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:08 2014 Connection reset, restarting [0]
Mon Jun 30 12:26:08 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 12:26:08 2014 Restart pause, 5 second(s)
Mon Jun 30 12:26:13 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:26:13 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 12:26:13 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:443 [nonblock]
Mon Jun 30 12:26:14 2014 TCP connection established with [AF_INET]63.245.214.137:443
Mon Jun 30 12:26:14 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 12:26:14 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:443
Mon Jun 30 12:26:14 2014 TLS: Initial packet from [AF_INET]63.245.214.137:443, sid=ed2d221a 4f152ba4
Mon Jun 30 12:26:21 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 Validating certificate extended key usage
Mon Jun 30 12:26:21 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:21 2014 VERIFY EKU OK
Mon Jun 30 12:26:21 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:21 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:30 2014 Connection reset, restarting [0]
Mon Jun 30 12:26:30 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 12:26:30 2014 Restart pause, 5 second(s)
Mon Jun 30 12:26:35 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:26:35 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 30 12:26:35 2014 Attempting to establish TCP connection with [AF_INET]63.245.214.137:80 [nonblock]
Mon Jun 30 12:26:36 2014 TCP connection established with [AF_INET]63.245.214.137:80
Mon Jun 30 12:26:36 2014 TCPv4_CLIENT link local: [undef]
Mon Jun 30 12:26:36 2014 TCPv4_CLIENT link remote: [AF_INET]63.245.214.137:80
Mon Jun 30 12:26:36 2014 TLS: Initial packet from [AF_INET]63.245.214.137:80, sid=767303b1 1eb8ea22
Mon Jun 30 12:26:41 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 Validating certificate extended key usage
Mon Jun 30 12:26:41 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:41 2014 VERIFY EKU OK
Mon Jun 30 12:26:41 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:41 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:47 2014 Connection reset, restarting [0]
Mon Jun 30 12:26:47 2014 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jun 30 12:26:47 2014 Restart pause, 5 second(s)
Mon Jun 30 12:26:52 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 30 12:26:52 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Jun 30 12:26:53 2014 UDPv4 link local: [undef]
Mon Jun 30 12:26:53 2014 UDPv4 link remote: [AF_INET]63.245.214.137:1194
Mon Jun 30 12:26:53 2014 TLS: Initial packet from [AF_INET]63.245.214.137:1194, sid=cccaa3cc c580d006
Mon Jun 30 12:26:54 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 VERIFY OK: depth=1, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/OU=Mozilla_Corporation_Root_Certificate_Services/CN=Mozilla_Root_CA/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 Validating certificate extended key usage
Mon Jun 30 12:26:54 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 30 12:26:54 2014 VERIFY EKU OK
Mon Jun 30 12:26:54 2014 VERIFY X509NAME OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 CRL CHECK OK: /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:26:54 2014 VERIFY OK: depth=0, /C=US/ST=California/L=Mountain_View/O=Mozilla_Corporation/CN=openvpn.scl3.mozilla.com/emailAddress=hostmaster@mozilla.com
Mon Jun 30 12:27:26 2014 [openvpn.scl3.mozilla.com] Inactivity timeout (--ping-restart), restarting
Mon Jun 30 12:27:26 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jun 30 12:27:26 2014 Restart pause, 2 second(s)
...
(and over and over)
It sounds like you've just replaced the certificates, but kept the old configuration. While this should be a valid approach, just for troubleshooting purposes, could you try downloading the configuration bundle from login.mozilla.com and point the openvpn client at the config.conf in it as-is?

If this works, then it's possible some other option has changed (I think the tls-remote option has been deprecated, possibly other changes), so diffing Mozilla.ovpn and the new config.conf could give a hint.
Thanks, that worked!

1. download the "Certificate" bundle
2. edit config.conf file
3. add those three lines at the end of the file

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

4. Then run the command line with this config file: 

sudo openvpn --config config.conf

5. Remove useless old files (previous bundle)

Thanks again!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Same here, works correctly, thanks!
You need to log in before you can comment on or make changes to this bug.