Error: VPN Cert Days value is Changed: Rebuild VPN certificates


(Hawk McDuck) #1

FreePBX 15.0.17.17 / Current Asterisk Version 16.15.1 / all modules up to date

The VPN Server module had been working well as far as I’m aware. I recently added a Yealink SIP T-22P phone to FreePBX and was trying to set up a VPN client for the T-22P extension. Now when I try to do anything in the System Admin==>VPN Server module, I get a pop-up dialog box that looks like this:

Rebuilt VPN certificates
The value for CERT_DAYS_VAL has been changed. To apply this new value, please click on Rebuild button or Cancel button to abort.
Rebuilt Close

When I click on the “Rebuilt” [sic] button, the process runs indefinitely. I ran this overnight and this morning it was still running.

Note that the CERT Days Remaining field at the top of the VPN Server module says 3638 days

In the Dashboard there is an error:

!Security Issue!
VPN Cert Days value is Changed
This is a critical issue and should be resolved urgently

When I click on the “Resolve” button in the Dashboard, it takes me to the VPN Server module and
the “Rebuilt VPN certificates” pop-up dialog described above.

sudo grep -i vpn freepbx.log
[2021-01-30 22:41:59] [freepbx.INFO]: [NOTIFICATION]-[sysadmin]-[VPN_Cert] - VPN Cert Days value is Changed (CERT_DAYS_VAL has been changed. You have to rebuild the VPN certificates.) [] []
[2021-01-30 23:07:24] [freepbx.INFO]: [NOTIFICATION]-[sysadmin]-[VPN_Cert] - VPN Cert Days value is Changed (CERT_DAYS_VAL has been changed. You have to rebuild the VPN certificates.) [] []
[2021-01-30 23:10:31] [freepbx.INFO]: [NOTIFICATION]-[sysadmin]-[VPN_Cert] - VPN Cert Days value is Changed (CERT_DAYS_VAL has been changed. You have to rebuild the VPN certificates.) [] []

Anyone available to help progress this issue?


FreePBX VPN setup with Sangoma S500
(Hawk McDuck) #2

I went into Settings==>Endpoint Manager=->Extensions and, except for the Sangoma S500 extensions listed, using the option “Delete Extension and Remove Config(s)”, removed all the other extensions in the list,

In the VPN Server module, the pop-up dialog box “Rebuilt VPN certificates” opened up, I clicked on “Rebuilt”, things whirred for a few moments, and the pop-up disappeared. The “CERT. Days Remaining” field in the VPN Server module is now 729 days.

Upon refreshing the Dashboard, the error message “VPN Cert Days value is Changed” is gone.

Hopefully FreePBX is back to normal and happy, happy, happy.


(R Wize) #3

We arrived to this as well and one of the team ran the “rebuild” the certificates on one of our ‘shared’ pbx’s which means it affects many customers and all phones using vpn to register lost connection and even after the rebuild and applying of the new certificates, devices cannot connect.

Can someone at Sangoma comment on this… this appears to be related to some recent update and only affects people that use the OpenVPN module.

image

Here is the warning we are getting… I have direct no vpn rebuilds are to be performed until this issue is better explained.

image


(R Wize) #4

I worked this out via the Bug Submission process, please review that bug ticket for solution details.

Cheers

[FREEPBX-22242] OpenVPN breaks after Critical Update - Sangoma Issue Tracker


(R Wize) #5

sgseidelHawk McDuck I am glad you were able to resolve your issue and seeing you use the EPM it was a simple process to update the certs and push them to the phones.

For those without EPM one has to export your certs and then import them to the phones. If you are not using the End Point Manager module, then this means a manual process, I can verify it works as we updated one of ‘shared’ pbx’s and encountered a phone disconnect issue even after updating the phones vpn certificates until we updated the Sys Admin module. The Sys Admin module has to be V.15.0.21.17 or greater.

Here is the command to run from the console and root access:

“fwconsole ma downloadinstall sysadmin --edge”

For others who have not “rebuild” their certificates, I recommend not to until you are ready to update each phone however you do that in your environments.

Here is a link again to the bug case I opened and obtained the guidance from FreePBX support:

[FREEPBX-22242] OpenVPN breaks after Critical Update - Sangoma Issue Tracker


#6

So what is the fix. I gained nothing from reading the Issue Tracker and haven’t been able to figure out how to get back to where we were.

I hit the “rebuilt” button and it killed all of our VPN connections. So I went ahead and issued a new certificate, installed it on a Grandstream phone that used to connect with VPN and it still doesn’t work.

I have the 14.0.2.17 Sys Admin Module installed. I rebooted the server. Deleted the client and started fresh. Nothing seems to bring the VPN connections back.

The logs show this for a newly issues certificate.

Feb 10 11:53:20 pbx2 openvpn: Wed Feb 10 11:53:20 2021 1.2.3.4:22589 TLS: Initial packet from [AF_INET]1.2.3.4:22589, sid=084e853a dbb375d8
Feb 10 11:53:20 pbx2 openvpn: Wed Feb 10 11:53:20 2021 1.2.3.4:22589 CRL: loaded 1 CRLs from file sysadmin_crl.pem
Feb 10 11:54:20 pbx2 openvpn: Wed Feb 10 11:54:20 2021 1.2.3.4:22589 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 10 11:54:20 pbx2 openvpn: Wed Feb 10 11:54:20 2021 1.2.3.4:22589 TLS Error: TLS handshake failed
Feb 10 11:54:20 pbx2 openvpn: Wed Feb 10 11:54:20 2021 1.2.3.4:22589 SIGUSR1[soft,tls-error] received, client-instance restarting

The logs show this on a phone with the original certificates still on it.

Feb 10 14:23:16 pbx2 openvpn: Wed Feb 10 14:23:16 2021 1.2.3.4:51255 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=FreePBX
Feb 10 14:23:16 pbx2 openvpn: Wed Feb 10 14:23:16 2021 1.2.3.4.50:51255 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 10 14:23:16 pbx2 openvpn: Wed Feb 10 14:23:16 2021 1.2.3.4.50:51255 TLS_ERROR: BIO read tls_read_plaintext error
Feb 10 14:23:16 pbx2 openvpn: Wed Feb 10 14:23:16 2021 1.2.3.4:51255 TLS Error: TLS object -> incoming plaintext read error
Feb 10 14:23:16 pbx2 openvpn: Wed Feb 10 14:23:16 2021 1.2.3.4:51255 TLS Error: TLS handshake failed
Feb 10 14:23:16 pbx2 openvpn: Wed Feb 10 14:23:16 2021 1.2.3.4:51255 SIGUSR1[soft,tls-error] received, client-instance restarting

So it didn’t only invalidate the certificates it also did something to make it so that any new certificates don’t communicate correctly.


(Edrick Smith) #7

Same issue here, I do have EPM which let me rebuild it and it went from 3000+ days to 700 or so. However none of the Sangoma phones will connect to VPN yet again.

God I love always having to spend time wasting away troubleshooting these Sangoma systems… Some module or open source this or that breaks, and this is even with PBXAct systems…

Right now its also complaining I can’t reenable / upgrade Phone Apps because * EndPoint Manager module version 15.0.25 or higher is required, you have 15.0.24.19

Yet Module Admin clearly states 15.0.24.19 is the newest.


(Itzik) #8

Make sure you have a valid annual maintenance license for EPM. If you don’t, updates get locked.


(Edrick Smith) #9

I had to force it via ssh, it would seem they shouldn’t break / disable other modules then if that was however the case. To cause the module to update to a point where it complains of a security risk and or disables it because another module needs to be upgraded (when it can’t if it did have an expired license)

It was not, in this case the system is licensed for the modules


(Turrican) #10

Hello

I have the following latest versions
System Admin version: 15.0.21.30
PBX Version: 15.0.17.24
PBX Distro: 12.7.8-2012-1.sng7
Asterisk Version: 16.13.0

I am getting the following message even after hours

image
image
image

I can’t see regenerate option in the openvpn section.
Shall I create another bug report?

Thank you!


(Jason Lewis) #11

did you ever work out how to resolve this? I am facing the same issue


(Turrican) #12

Unfortunately not. I created a bug report. https://issues.freepbx.org/browse/FREEPBX-22385


(Turrican) #13

VPN server needs to be enabled first.
I didn’t want to enable the server since there were already certificate error messages appeared, but enabling the vpn server will remove all error messages.