[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN Connection reset, restarting [0]

  • Subject: Re: [Openvpn-users] OpenVPN Connection reset, restarting [0]
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 31 May 2007 11:03:03 -0500
  • Z-usanet-msgid: XID518LeEqDe0388X29

Hash: SHA1

Maggie Coffey wrote:
> OpenVPN Connection reset, restarting [0] Please advise.  I am new
> with using openvpn
>  The ca.crt and ca.key were deleted from the linux server that the
> certs are created on.
> I had a copy of the cert and the key and just ftp’d them back on the
> server.
> But now when I create a new p12 cert it fails to connect to the
> tunnel using openvpn
> What do I need to do if anything to the linux box the certs were
> setup on?
If the CA key and certificate that you restored are identical to the
key/cert that you initially set up your PKI with you shouldn't need to
make any changes to the the PC that is signing certificates.  When
using the easy-RSA scripts (or OpenSSL commands by hand,) it also
stores information about the issued certificates, specifically in the
files "index.txt" and "serial"; if these were also deleted from the
server before new certificates were signed, it can cause problems
because 2 different certificates have the same serial number.
> Can someone explain to me why the new certs that are created fail to
> connect thru the tunnel?
> I know the tunnel works because I have other tokens that were
> created before the cert and key were deleted and replaced?
> Here is a short version of the log file.  Any help will be greatly
> appreciated
> Wed May 30 16:14:58 2007 us=632267 TLS: Initial packet from
>, sid=d5f12ff8 b839f240
> Wed May 30 16:14:58 2007 us=835591 VERIFY OK: depth=1,
> _/C=US/ST=NH/L=Portsmouth/O=WhalebackSystems/CN=WhalebackSystemsCA/emailAddress=ca@xxxxxxxxxxxxxxxxxxxxx
> <mailto:/C=US/ST=NH/L=Portsmouth/O=WhalebackSystems/CN=WhalebackSystemsCA/emailAddress=ca@xxxxxxxxxxxxxxxxxxxx>
> Wed May 30 16:14:58 2007 us=836734 VERIFY OK: nsCertType=SERVER
> Wed May 30 16:14:58 2007 us=836779 VERIFY OK: depth=0,
> _/C=US/ST=NH/L=Portsmouth/O=WhalebackSystems/CN=server/emailAddress=ca@xxxxxxxxxxxxxxxxxxxxx
> <mailto:/C=US/ST=NH/L=Portsmouth/O=WhalebackSystems/CN=server/emailAddress=ca@xxxxxxxxxxxxxxxxxxxx>
> Wed May 30 16:15:05 2007 us=59928 Connection reset, restarting [0]
> Wed May 30 16:15:05 2007 us=60301 TCP/UDP: Closing socket
> Wed May 30 16:15:05 2007 us=60389 SIGUSR1[soft,connection-reset]
> received, process restarting
- From this excerpt from your logs we that the client is not the one
rejecting the authentication, but the server is.  You can see above
that both the CA and server passed verification tests, but then the
connection is reset by the server.  The reason for this rejection will
appear in your server logs and should indicate exactly why the
credentials were not accepted.

Based on the information, I'm guessing that the certificates signed
after the file delete/restore operation either were signed by a
different CA key or are missing some required component which the
server requires.  An example of the later case would be if you use
"ns-cert-type client" in the server config but didn't sign the client
cert with the ns-client extension.

- --
Version: GnuPG v1.4.7 (GNU/Linux)


Openvpn-users mailing list