On my phone: I suspect you’re using a newer openvpn version. It is complaining about your CA. I think it wants a CA created with a newer algorithm.
Wait for confirmation by others. On Fri, Mar 28, 2025, at 5:50 PM, Bo Berglund wrote: > Hi, > I have a problem on a new server trying to use an old server's config... > > Back in 2019 I created an RPi2 based OVPN server for use by my brother-in-law > to > connect back to his home in Vienna while traveling abroad. > It has worked fine for a long time but recently the RPi2 has acted up and the > service stopped occationally until someone (his son) could go over and restart > the RPi2 device. This happened repeatedly. > > So to improve this I have started up a new RPi4B with the most recent PiOS > Lite > (server style - no gui components). > On this I have installed openvpn via apt and I have copied over the "crypto" > files to directory /etc/openvpn/server/serverkeys. > I did so by (as sudo) creating a tar.gz file containing /etc/openvpn on the > old > RPi2. > > Then I have configured a server.conf file based on the old file on the RPi2 > but > with some enhancements from recent times by looking at a conf file on my new > OVPN server here at home, which works just fine. > > For a test I have started the service with the RPi4 on my home LAN so I have > edited the conf file to reflect my own LAN configuration network wise. > > Then I have copied my ovpn file for the old server in Vienna and edited it so > it > points to my own server and uses the correct port etc to be used for testing > here. > > Now when I try to connect from my phone using this ovpn file modified to point > to my own url it stops with an error message: > > --------------------------------------------------------------- > There was an error attempting to connect to > the selected server. > > Error message: > "You are using an insecure hash algorithm for the CA signature. > Regenerate the CA certificate with a secure hash algorithm." > ---------------------------------------------------------------- > > I do not know *where* the problem is located in this case. > Nor what exactly I have to do. > Which signature is a problem? Something on the server or inside the > ovpn file I use to connect? > > I used a copy of the ovpn file working towards the RPi2 device (which fully > works right now), where I just changed the port number to match what I have > forwarded on my router and switched the connection URL to my home system. > > > > Here is my server.conf file: > --------------------------- > port 1193 > proto udp > dev tun > topology subnet > > #Keys, Certificates, directories etc > ca /etc/openvpn/server/serverkeys/ca.crt > cert /etc/openvpn/server/serverkeys/HAKANVPN.crt > key /etc/openvpn/server/serverkeys/HAKANVPN.key > dh /etc/openvpn/server/serverkeys/dh2048.pem > tls-auth /etc/openvpn/server/serverkeys/ta.key 0 > cipher AES-256-CBC > #Other files/dirs: > client-config-dir /etc/openvpn/ccd > status /etc/openvpn/log/server-status.log 20 > log /etc/openvpn/log/server.log > verb 3 #Verbosity of log content > max-clients 20 > key-direction 0 > persist-key > persist-tun > > #Server's internal network: > server 10.8.113.0 255.255.255.0 'nopool' > ifconfig-pool 10.8.113.10 10.8.113.127 255.255.255.0 > ifconfig-pool-persist /etc/openvpn/server/ipp.txt > push "route 10.8.113.0 255.255.255.0" > push "route 10.8.113.1 255.255.255.255" > push "route 192.168.119.0 255.255.255.0" > push "dhcp-option DNS 192.168.119.1" # When testing at home > push "redirect-gateway def1 bypass-dhcp" > push "dhcp-option DNS 208.67.222.222" > push "dhcp-option DNS 208.67.220.220" > comp-lzo no > push "comp-lzo no" > duplicate-cn > keepalive 10 120 > --------------------------------------------------------------- > > Here is the content of the ovpn file used on the phone: > --------------------------------------------------------------- > client > dev tun > proto udp > myhomedomain 1093 > resolv-retry infinite > nobind > persist-key > persist-tun > mute-replay-warnings > auth-nocache > remote-cert-tls server > key-direction 1 > cipher AES-256-CBC > verb 2 > mute 20 > explicit-exit-notify 1 > > <ca> > -----BEGIN CERTIFICATE----- > MIIG4DCCBMigAwIBAgIUbFjR74pEthxrXy5wTGb2jx92Ty0wDQYJKoZIhvcNAQEL > .... > wcq/MyVJlLSaD/8QlhwIy38repxvLEZEEodBJO4laZrdmeb9 > -----END CERTIFICATE----- > </ca> > <cert> > -----BEGIN CERTIFICATE----- > MIIHEzCCBPugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCQVQx > .... > Cmed45LdJCnOG/vunkpXLM1EvtK/WSo4Hynwoi7axIVlC/6fVA72 > -----END CERTIFICATE----- > </cert> > <key> > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,E1369C0CE0B22D49 > .... > XaE3Qw06HkP6bzXhxZWwQT9Tf1QiS1XSmhHCp76I8BPkSEr1hl6Z6C6RqLZKi6wO > -----END RSA PRIVATE KEY----- > </key> > <tls-auth> > # > # 2048 bit OpenVPN static key > # > -----BEGIN OpenVPN Static key V1----- > 366cadc0ebfed57a493fdb05cedd25d9 > .... > 9ea060f01c0fcaba71f39b7d6ac92f98 > -----END OpenVPN Static key V1----- > </tls-auth> > > --------------------------------------------------------------- > > This is what is in the log file > (there are no timestamps so I don't know *when* it was logged): > ------------------------------------------------------------------------------- > DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers > (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for > cipher > negotiations. > Note: '--allow-compression' is not set to 'no', disabling data channel > offload. > Consider using the '--compress migrate' option. > OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > [PKCS11] [MH/PKTINFO] [AEAD] [DCO] > library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10 > DCO version: N/A > WARNING: using --duplicate-cn and --client-config-dir together is probably not > what you want > WARNING: --ifconfig-pool-persist will not work with --duplicate-cn > net_route_v4_best_gw query: dst 0.0.0.0 > net_route_v4_best_gw result: via 192.168.119.1 dev eth0 > Diffie-Hellman initialized with 2048 bit key > OpenSSL: error:0A00018E:SSL routines::ca md too weak > Cannot load certificate file /etc/openvpn/server/serverkeys/HAKANVPN.crt > Exiting due to fatal error > ------------------------------------------------------------------------------- > And finally this is what I get with > > sudo systemctl status openvpn-server@server.service > ------------------------------------------------------------------------------- > openvpn-server@server.service - OpenVPN service for server > Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; > preset: enabled) > Active: activating (auto-restart) (Result: exit-code) since Fri > 2025-03-28 > 22:41:14 CET; 2s ago > Docs: man:openvpn(8) > https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage > https://community.openvpn.net/openvpn/wiki/HOWTO > Process: 20876 ExecStart=/usr/sbin/openvpn --status > /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps > --config server.conf (code=exited, status=1/FAILURE) > Main PID: 20876 (code=exited, status=1/FAILURE) > Status: "Pre-connection initialization successful" > CPU: 90ms > -------------------------------------------------------------------------------- > > Where should I look for the problem? > And a solution..... > > TIA > > > -- > Bo Berglund > Developer in Sweden > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Dan Langille d...@langille.org _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
