TLS Error: TLS handshake failed, TLS Error: local/remote TLS keys are out of sync
My rocksolid OpenVPN server dropped every connection at once. Quick inspection of logs on server shown:
2022-01-17 11:07:28 us=339922 MULTI: multi_create_instance called
2022-01-17 11:07:28 us=340120 x.x.x.x:65086 Re-using SSL/TLS context
2022-01-17 11:07:28 us=340967 x.x.x.x:65086 LZO compression initializing
2022-01-17 11:07:28 us=341993 x.x.x.x:65086 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-01-17 11:07:28 us=342065 x.x.x.x:65086 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-01-17 11:07:28 us=342206 x.x.x.x:65086 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
2022-01-17 11:07:28 us=342246 x.x.x.x:65086 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
2022-01-17 11:07:28 us=342351 x.x.x.x:65086 TLS: Initial packet from [AF_INET6]::ffff:x.x.x.x:65086, sid=33e4c66f df7fe02bAnd on client machine:
Jan 17 11:08:22 claptrap openvpn[12231]: TLS: Initial packet from [AF_INET]y.y.y.y:1194, sid=c5357c72 f8ffdb04
Jan 17 11:08:22 claptrap openvpn[12231]: VERIFY ERROR: depth=1, error=certificate has expired: C=PL, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx, name=xxx, emailAddress=xxx, serial=xxx
Jan 17 11:08:22 claptrap openvpn[12231]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Jan 17 11:08:22 claptrap openvpn[12231]: TLS_ERROR: BIO read tls_read_plaintext error
Jan 17 11:08:22 claptrap openvpn[12231]: TLS Error: TLS object -> incoming plaintext read error
Jan 17 11:08:22 claptrap openvpn[12231]: TLS Error: TLS handshake failed
Jan 17 11:08:22 claptrap openvpn[12231]: SIGUSR1[soft,tls-error] received, process restarting
Jan 17 11:08:22 claptrap openvpn[12231]: Restart pause, 5 second(s)Normally I would asume some ISP error, or firewall that started to block port for OpenVPN. But today was different because I sam also this kind of error:
TLS Error: local/remote TLS keys are out of sync: [AF_INET]x.x.x.x:Restarting and checking every client didn't bringed back connections and tunnels, so I checked one thing left - my CA cert, and.. .voila... 10 years have passed...
dom# cd /usr/pkg/etc/openvpn/
dom# openssl x509 -in ca.crt -dates -noout
notBefore=Jan 20 07:53:20 2012 GMT
notAfter=Jan 17 07:53:20 2022 GMTOn this stage, one and only way to solve this is to regenerate CA certificate, issue new one for clients and sign it with new cert. Oh.. Mondays!
