Tutorial: Perform an Offline Activation with a Fixed License Key
Use a fixed license key to activate an Access Server running in an air-gapped system without internet access.
Overview
If you can’t successfully activate your Access Server license online — such as due to strict firewalls or because your Access Server installation is on a local network without internet access — you have two options:
You can perform an offline activation yourself by using a second, temporary Access Server installation with an internet connection.
Submit a support ticket and include the required hardware information file (detailed below) with the license key you want to activate, and we can do the offline activation for you.
After the offline activation procedure, you have an activated xxxx-xxxx-xxxx-xxxx.lic file. Place the file on your server to complete the license key activation procedure.
An installed Access Server.
A second, temporary Access Server with an internet connection or a support ticket, mentioned in the overview.
The activation process reads a number of unique machine facts from the system that your Access Server is installed on and uses it together with your license key to activate and lock the license key to your system. It unlocks the number of connections your license key is good for and locks it to the system on which you activated the license key. With an offline activation procedure, you take the machine facts from one offline Access Server (without internet access), export it to a text file, copy that text file to another online Access Server (with internet access), and then use that Access Server for the activation process. You then copy the resulting license file to the original machine.
Follow these steps:
Sign in to the Access Server you wish to activate (let’s call this the production server).
Run this command on the production server as the root user:
/usr/local/openvpn_as/scripts/liman id-marker >licinfo.txt
Copy the new file, licinfo.txt, with the hardware specifics for your production server, onto the Access Server you’ll use for activation (let’s call this the activation server).
Note
Ensure you use a tool like SCP or WinSCP to transfer the file itself; don’t copy/paste the contents of the file.
Run this command on the activation server as the root user (and enter your license key):
/usr/local/openvpn_as/scripts/liman -i licinfo.txt Activate "LICE-NSEK-EYIN-HERE"
From the /usr/local/openvpn_as/etc/licenses/ folder, copy the new license key file from your activation server to the production server. The file will be named with the license key, for example, LICE-NSEK-EYIN-HERE.lic.
Note
Ensure you use a tool like SCP or WinSCP to transfer the file itself; don’t copy/paste the contents of the file.
Your production server should now see the activated key and update the concurrent connection count. In rare cases, you may need to use
service openvpnas restartto restart the Access Server service to read the new license key.
Rather than set up a second Access Server purely for the activation steps, you can contact us with our support ticket system and request offline activation. Include the following in your ticket:
Your license key for activation.
The licinfo.txt file.
To obtain the licinfo.txt file, follow these steps:
Sign into the Access Server you want to activate.
Run this command on the server as root user:
/usr/local/openvpn_as/scripts/liman id-marker >licinfo.txt
The new file, licinfo.txt, contains the hardware specifics for activating that server.
Copy this file to your computer that you’re using to submit a support ticket request and attach it to the support ticket.
Note
Ensure you use a tool like SCP or WinSCP to transfer the file itself; don’t copy/paste the contents of the file.
If the activation fails, check these scenarios:
Verify the activation server can access our activation servers at licensing.openvpn.net or licserv.openvpn.net on port TCP 443. We keep the IP address static, so you can also allow 54.183.149.72 through a firewall if needed.
Check if recent maintenance on your production server has changed the hardware/software combination. This can cause the licensing system to believe it’s running on a different server than the one where the license key was activated.
If you’re using a virtual platform, moving the virtual machine from one hypervisor platform to another can cause the licensing system to see this hardware change and invalidate the license key.
If you replace the network interface card on your server, or perform a clean reinstall of your server operating system, this can cause the license key to become invalid.
If your operating system runs out of available memory, reboot the server. When there isn’t available memory, the licensing system is one of the first things to go.
You can use the command-line licensing manager program to view the current state of the licensing system. On the command line as the root user, use the commands below to see which license keys are on your system, which are having problems and why, and how many connections your server currently allows.
View the license key files on your server's file system:
ls -la /usr/local/openvpn_as/etc/licenses/
Check the license manager tool to see problems and the allowed connections:
/usr/local/openvpn_as/scripts/liman info
A sample output looks like this:
Manager: exception with license file /usr/local/openvpn_as/etc/licenses/ABCD-1234-EFGH-5678.lic:
machine properties validation failed: verify fail: ABCD-1234-EFGH-5678
[3:0:8]/mac=110/hd=000/cpu=110/pci=110/ino=110/iid=000 (LIC_VPROP)
Manager: exception with license file /usr/local/openvpn_as/etc/licenses/IJKL-0912-MNOP-3456.lic:
license key ID is expired (LIC_KEY_EXP)
Manager: exception with license file /usr/local/openvpn_as/etc/licenses/QRST-7890-UVWX-1234.lic:
signature verification failed (LIC_VERIFY)
INFO {'apc': False, 'concurrent_connections': 20}In the output above, the license key ABCD-1234-EFGH-5678 fails the machine properties validation. This means the system hardware specifics are no longer the same as when you activated the license. The system then considers this license key invalid and skips it.
The output above shows that the license key IJKL-0912-MNOP-3456 has expired. If you haven't renewed it, you can do so on our website or buy a new one.
In the output above, the last line shows that the server is registered for 20 simultaneous connections.
Error Messages | Resolutions |
|---|---|
Fault 9000: "twisted.internet.error.DNSLookupError: DNS lookup failed: address 'licensing.openvpn.net' not found: [Errno -2] Name or service not known." | This error message is a DNS issue. This could be caused by not having DNS servers configured, or the ones configured are internal DNS servers that only handle an internal DNS zone. It could even be a temporary problem with the DNS server. |
SESSION ERROR: SESSION: Your session has expired, please reauthenticate (9007) | This error message could be a DNS issue or an internet access issue. |
Fault 9000: "OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]" | This error message occurs when the secure connection between your Access Server and our licensing server fails. A firewall or proxy system could intercept the traffic and present its SSL certificate. This won't match the certificate that the Access Server is expecting to see, so the certificate verification fails. Another possibility is that your server's time and date are off quite badly. The certificate we use on our licensing server is valid within specific dates, and if your server has an incorrect date set, verification fails. You must set the date correctly to resolve the problem. |