17 Sep
2023
17 Sep
'23
12:33 p.m.
Hi all,
I’ve been trying off and on over the last few days to set up a VPN connection to amprnet
to use my new allocation.
I’m not succeeding on multiple linux machines and a macOS device and seeing a couple of
the same errors -
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
The first is related to, I assume, my user certificate - is this a fatal error and am I
doing something wrong, has the advice changed from `cat certs/user certs/authorities >
client.crt`?
Secondly, the password verification is confusing me - I have just imported a new tqsl cert
generated this week, and in tqsl it advises me there’s no certificate passphrase. I’m not
sure what to do here - if I try and export a .p12 from tqsl, and generate keys from that,
I am asked for a password too and that ends in no progress.
I see the same errors in tunnelblick on MacOS.
Is there any reason I’m being asked for a password? My current LoTW password doesn’t
resolve this. My concern is that there is some password I’m missing from when the
certificate was first generated years ago and that now prevents me from accessing the
VPN.
Cheers & 73
Hibby MM0RFN.
17 Sep
17 Sep
3:16 p.m.
Hi Dave,
First of all there is currently no “AMPRNet” VPN, i.e. ARDC are not yet providing such a
service, although the TAC are currently working on this.
So I guess you must be trying to connect to an independent VPN server that has been setup
by another ham, in which case you would probably get more specific answers if you were to
contact that person for assistance.
Otherwise, if you can provide a bit more context some folks on this list may be able to
assist you, there may be someone that is already connecting to the same VPN, for example,
and may therefore have experience that is specific to that VPN.
73,
Chris - G1FEF
—
ARDC Administrator
Web: https://www.ardc.net
On 17 Sep 2023, at 12:33, Dave Hibberd via 44net
<44net(a)mailman.ampr.org> wrote:
Hi all,
I’ve been trying off and on over the last few days to set up a VPN connection to amprnet
to use my new allocation.
I’m not succeeding on multiple linux machines and a macOS device and seeing a couple of
the same errors -
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
The first is related to, I assume, my user certificate - is this a fatal error and am I
doing something wrong, has the advice changed from `cat certs/user certs/authorities >
client.crt`?
Secondly, the password verification is confusing me - I have just imported a new tqsl
cert generated this week, and in tqsl it advises me there’s no certificate passphrase. I’m
not sure what to do here - if I try and export a .p12 from tqsl, and generate keys from
that, I am asked for a password too and that ends in no progress.
I see the same errors in tunnelblick on MacOS.
Is there any reason I’m being asked for a password? My current LoTW password doesn’t
resolve this. My concern is that there is some password I’m missing from when the
certificate was first generated years ago and that now prevents me from accessing the
VPN.
Cheers & 73
Hibby MM0RFN.
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
3:19 p.m.
Chris -
Apologies for the confusion, I was following the AMPRNet VPN instructions on
https://wiki.ampr.org/wiki/AMPRNet_VPN and, based on other things I’ve seen on the list,
assumed that messaging here would be the most appropriate path to seek assistance.
Thanks
DH
On 17 Sep 2023, at 15:16, Chris <chris(a)ardc.net>
wrote:
Hi Dave,
First of all there is currently no “AMPRNet” VPN, i.e. ARDC are not yet providing such a
service, although the TAC are currently working on this.
So I guess you must be trying to connect to an independent VPN server that has been setup
by another ham, in which case you would probably get more specific answers if you were to
contact that person for assistance.
Otherwise, if you can provide a bit more context some folks on this list may be able to
assist you, there may be someone that is already connecting to the same VPN, for example,
and may therefore have experience that is specific to that VPN.
73,
Chris - G1FEF
—
ARDC Administrator
Web: https://www.ardc.net
On 17 Sep 2023, at 12:33, Dave Hibberd via 44net
<44net(a)mailman.ampr.org> wrote:
Hi all,
I’ve been trying off and on over the last few days to set up a VPN connection to amprnet
to use my new allocation.
I’m not succeeding on multiple linux machines and a macOS device and seeing a couple of
the same errors -
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
The first is related to, I assume, my user certificate - is this a fatal error and am I
doing something wrong, has the advice changed from `cat certs/user certs/authorities >
client.crt`?
Secondly, the password verification is confusing me - I have just imported a new tqsl
cert generated this week, and in tqsl it advises me there’s no certificate passphrase. I’m
not sure what to do here - if I try and export a .p12 from tqsl, and generate keys from
that, I am asked for a password too and that ends in no progress.
I see the same errors in tunnelblick on MacOS.
Is there any reason I’m being asked for a password? My current LoTW password doesn’t
resolve this. My concern is that there is some password I’m missing from when the
certificate was first generated years ago and that now prevents me from accessing the
VPN.
Cheers & 73
Hibby MM0RFN.
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
5:51 p.m.
Hello Dave,
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in /etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do not
copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN
PRIVATE KEY---
--"
Unfortunately if you manage to setup correctly openvpn on your machine, still
you are not going to have fun with AMPR, as the server certificate has expired.
I have sent an e-mail on this list but it seems OH7LZB is not reachable from
here.
I hope this helps
73
Apostolos, SV1LJJ
6:16 p.m.
Hi there, thanks for coming back - I’ve not missed that step, and this is what causes my
confusion.
I’ve extracted the private key, put it in client.key as the instructions said.
I’ve done this across 3 different machines, one running just openvpn which my extract is
from, one I am using openvpn network manager & gnome 3 and another running
tunnelblik.
On all 3 setups, it complains the key is missing when checking the logs and that password
verification has failed, yet when checking in tqsl, it tells me the certificate is not
password protected.
It sounds like all is for naught anyway if the server cert is expired,
Thanks anyway
DH
On 17 Sep 2023, at 17:51, Apostolos Kefalas
<sv1ljj(a)raag.org> wrote:
Hello Dave,
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in /etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do not
copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN
PRIVATE KEY---
--"
Unfortunately if you manage to setup correctly openvpn on your machine, still
you are not going to have fun with AMPR, as the server certificate has expired.
I have sent an e-mail on this list but it seems OH7LZB is not reachable from
here.
I hope this helps
73
Apostolos, SV1LJJ
6:36 p.m.
Do not shoot but... client.key file permissions?
On Sun, 2023-09-17 at 18:16 +0100, Dave Hibberd via 44net wrote:
Hi there, thanks for coming back - I’ve not missed
that step, and this is what
causes my confusion.
I’ve extracted the private key, put it in client.key as the instructions said.
I’ve done this across 3 different machines, one running just openvpn which my
extract is from, one I am using openvpn network manager & gnome 3 and another
running tunnelblik.
On all 3 setups, it complains the key is missing when checking the logs and
that password verification has failed, yet when checking in tqsl, it tells me
the certificate is not password protected.
It sounds like all is for naught anyway if the server cert is expired,
Thanks anyway
DH
On 17 Sep 2023, at 17:51, Apostolos Kefalas
<sv1ljj(a)raag.org> wrote:
Hello Dave,
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
OpenSSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key
values mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in
/etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do
not
copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN
PRIVATE
KEY---
--"
Unfortunately if you manage to setup correctly openvpn on your machine,
still
you are not going to have fun with AMPR, as the server certificate has
expired.
I have sent an e-mail on this list but it seems OH7LZB is not reachable from
here.
I hope this helps
73
Apostolos, SV1LJJ
6:37 p.m.
Great question! I did think about including this!
On one of the machines
hibby@raspberrypi:/etc/openvpn $ ls -l
total 28
-rw-r--r-- 1 root root 1290 Sep 13 00:35 amprnet-vpn-ca.crt
drwxr-xr-x 2 root root 4096 May 14 2021 client
-rw-r--r-- 1 root root 212 Sep 15 00:07 client.conf
-rw-r--r-- 1 root root 4014 Sep 14 23:55 client.crt
-rw-r--r-- 1 root root 916 Sep 15 00:18 client.key
cheers
Dh
On 17 Sep 2023, at 18:36, Apostolos Kefalas
<sv1ljj(a)raag.org> wrote:
Do not shoot but... client.key file permissions?
On Sun, 2023-09-17 at 18:16 +0100, Dave Hibberd via 44net wrote:
Hi there, thanks for coming back - I’ve not
missed that step, and this is what
causes my confusion.
I’ve extracted the private key, put it in client.key as the instructions said.
I’ve done this across 3 different machines, one running just openvpn which my
extract is from, one I am using openvpn network manager & gnome 3 and another
running tunnelblik.
On all 3 setups, it complains the key is missing when checking the logs and
that password verification has failed, yet when checking in tqsl, it tells me
the certificate is not password protected.
It sounds like all is for naught anyway if the server cert is expired,
Thanks anyway
DH
On 17 Sep 2023, at 17:51, Apostolos Kefalas
<sv1ljj(a)raag.org> wrote:
Hello Dave,
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
OpenSSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key
values mismatch
Cannot load private key file /etc/openvpn/client.key
Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in
/etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do
not
copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN
PRIVATE
KEY---
--"
Unfortunately if you manage to setup correctly openvpn on your machine,
still
you are not going to have fun with AMPR, as the server certificate has
expired.
I have sent an e-mail on this list but it seems OH7LZB is not reachable from
here.
I hope this helps
73
Apostolos, SV1LJJ 
28 Sep
28 Sep
1:31 p.m.
Hi to all
I have also tried to connect and, indeed, the certificate has expired ("VERIFY ERROR:
depth=1, error=certificate has expired: O=AMPRnet, CN=OH7LZB VPN service CA,
serial=15176845288007500179")
There is also the problem that the key was generated with an old version of OpensSSL and
in modern versions (in my case I use Fedora 38) it fails with: OpenSSL: error:0A00018F:SSL
routines::ee key too small:
In the latter case it can continue working with the option: tls-cipher
DEFAULT:@SECLEVEL=0
In any case, the certificate is no longer valid.
Does the VPN service still exist? If not, they should remove the Howto from the
documentation.
29 Feb
29 Feb
12:37 p.m.
Bumping this to see if anyone has had success communicating with OH7LZB on updating his
server-side certificate, or if we're all just assuming at this point that the VPN
service has been discontinued.
73, Brian, N0QVC
69
days inactive
234
days old
8 comments
5 participants
participants (5)
-
Apostolos Kefalas -
brian.klier@gmail.com -
Chris -
Dave Hibberd -
lu3vea@gmail.com