Hi all,
I’ve been trying off and on over the last few days to set up a VPN connection to amprnet to use my new allocation.
I’m not succeeding on multiple linux machines and a macOS device and seeing a couple of the same errors -
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
The first is related to, I assume, my user certificate - is this a fatal error and am I doing something wrong, has the advice changed from `cat certs/user certs/authorities > client.crt`?
Secondly, the password verification is confusing me - I have just imported a new tqsl cert generated this week, and in tqsl it advises me there’s no certificate passphrase. I’m not sure what to do here - if I try and export a .p12 from tqsl, and generate keys from that, I am asked for a password too and that ends in no progress.
I see the same errors in tunnelblick on MacOS.
Is there any reason I’m being asked for a password? My current LoTW password doesn’t resolve this. My concern is that there is some password I’m missing from when the certificate was first generated years ago and that now prevents me from accessing the VPN.
Cheers & 73 Hibby MM0RFN.
Hi Dave,
First of all there is currently no “AMPRNet” VPN, i.e. ARDC are not yet providing such a service, although the TAC are currently working on this.
So I guess you must be trying to connect to an independent VPN server that has been setup by another ham, in which case you would probably get more specific answers if you were to contact that person for assistance.
Otherwise, if you can provide a bit more context some folks on this list may be able to assist you, there may be someone that is already connecting to the same VPN, for example, and may therefore have experience that is specific to that VPN.
73, Chris - G1FEF — ARDC Administrator
Web: https://www.ardc.net
On 17 Sep 2023, at 12:33, Dave Hibberd via 44net 44net@mailman.ampr.org wrote:
Hi all,
I’ve been trying off and on over the last few days to set up a VPN connection to amprnet to use my new allocation.
I’m not succeeding on multiple linux machines and a macOS device and seeing a couple of the same errors -
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
The first is related to, I assume, my user certificate - is this a fatal error and am I doing something wrong, has the advice changed from `cat certs/user certs/authorities > client.crt`?
Secondly, the password verification is confusing me - I have just imported a new tqsl cert generated this week, and in tqsl it advises me there’s no certificate passphrase. I’m not sure what to do here - if I try and export a .p12 from tqsl, and generate keys from that, I am asked for a password too and that ends in no progress.
I see the same errors in tunnelblick on MacOS.
Is there any reason I’m being asked for a password? My current LoTW password doesn’t resolve this. My concern is that there is some password I’m missing from when the certificate was first generated years ago and that now prevents me from accessing the VPN.
Cheers & 73 Hibby MM0RFN. _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Chris -
Apologies for the confusion, I was following the AMPRNet VPN instructions on https://wiki.ampr.org/wiki/AMPRNet_VPN and, based on other things I’ve seen on the list, assumed that messaging here would be the most appropriate path to seek assistance.
Thanks DH
On 17 Sep 2023, at 15:16, Chris chris@ardc.net wrote:
Hi Dave,
First of all there is currently no “AMPRNet” VPN, i.e. ARDC are not yet providing such a service, although the TAC are currently working on this.
So I guess you must be trying to connect to an independent VPN server that has been setup by another ham, in which case you would probably get more specific answers if you were to contact that person for assistance.
Otherwise, if you can provide a bit more context some folks on this list may be able to assist you, there may be someone that is already connecting to the same VPN, for example, and may therefore have experience that is specific to that VPN.
73, Chris - G1FEF — ARDC Administrator
Web: https://www.ardc.net
On 17 Sep 2023, at 12:33, Dave Hibberd via 44net 44net@mailman.ampr.org wrote:
Hi all,
I’ve been trying off and on over the last few days to set up a VPN connection to amprnet to use my new allocation.
I’m not succeeding on multiple linux machines and a macOS device and seeing a couple of the same errors -
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
The first is related to, I assume, my user certificate - is this a fatal error and am I doing something wrong, has the advice changed from `cat certs/user certs/authorities > client.crt`?
Secondly, the password verification is confusing me - I have just imported a new tqsl cert generated this week, and in tqsl it advises me there’s no certificate passphrase. I’m not sure what to do here - if I try and export a .p12 from tqsl, and generate keys from that, I am asked for a password too and that ends in no progress.
I see the same errors in tunnelblick on MacOS.
Is there any reason I’m being asked for a password? My current LoTW password doesn’t resolve this. My concern is that there is some password I’m missing from when the certificate was first generated years ago and that now prevents me from accessing the VPN.
Cheers & 73 Hibby MM0RFN. _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Hello Dave,
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in /etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do not copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN PRIVATE KEY--- --"
Unfortunately if you manage to setup correctly openvpn on your machine, still you are not going to have fun with AMPR, as the server certificate has expired. I have sent an e-mail on this list but it seems OH7LZB is not reachable from here.
I hope this helps
73 Apostolos, SV1LJJ
Hi there, thanks for coming back - I’ve not missed that step, and this is what causes my confusion.
I’ve extracted the private key, put it in client.key as the instructions said.
I’ve done this across 3 different machines, one running just openvpn which my extract is from, one I am using openvpn network manager & gnome 3 and another running tunnelblik. On all 3 setups, it complains the key is missing when checking the logs and that password verification has failed, yet when checking in tqsl, it tells me the certificate is not password protected.
It sounds like all is for naught anyway if the server cert is expired,
Thanks anyway
DH
On 17 Sep 2023, at 17:51, Apostolos Kefalas sv1ljj@raag.org wrote:
Hello Dave,
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in /etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do not copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN PRIVATE KEY--- --"
Unfortunately if you manage to setup correctly openvpn on your machine, still you are not going to have fun with AMPR, as the server certificate has expired. I have sent an e-mail on this list but it seems OH7LZB is not reachable from here.
I hope this helps
73 Apostolos, SV1LJJ
Do not shoot but... client.key file permissions?
On Sun, 2023-09-17 at 18:16 +0100, Dave Hibberd via 44net wrote:
Hi there, thanks for coming back - I’ve not missed that step, and this is what causes my confusion.
I’ve extracted the private key, put it in client.key as the instructions said.
I’ve done this across 3 different machines, one running just openvpn which my extract is from, one I am using openvpn network manager & gnome 3 and another running tunnelblik. On all 3 setups, it complains the key is missing when checking the logs and that password verification has failed, yet when checking in tqsl, it tells me the certificate is not password protected.
It sounds like all is for naught anyway if the server cert is expired,
Thanks anyway
DH
On 17 Sep 2023, at 17:51, Apostolos Kefalas sv1ljj@raag.org wrote:
Hello Dave,
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in /etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do not copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN PRIVATE KEY--- --"
Unfortunately if you manage to setup correctly openvpn on your machine, still you are not going to have fun with AMPR, as the server certificate has expired. I have sent an e-mail on this list but it seems OH7LZB is not reachable from here.
I hope this helps
73 Apostolos, SV1LJJ
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Great question! I did think about including this!
On one of the machines hibby@raspberrypi:/etc/openvpn $ ls -l total 28 -rw-r--r-- 1 root root 1290 Sep 13 00:35 amprnet-vpn-ca.crt drwxr-xr-x 2 root root 4096 May 14 2021 client -rw-r--r-- 1 root root 212 Sep 15 00:07 client.conf -rw-r--r-- 1 root root 4014 Sep 14 23:55 client.crt -rw-r--r-- 1 root root 916 Sep 15 00:18 client.key
cheers Dh
On 17 Sep 2023, at 18:36, Apostolos Kefalas sv1ljj@raag.org wrote:
Do not shoot but... client.key file permissions?
On Sun, 2023-09-17 at 18:16 +0100, Dave Hibberd via 44net wrote:
Hi there, thanks for coming back - I’ve not missed that step, and this is what causes my confusion.
I’ve extracted the private key, put it in client.key as the instructions said.
I’ve done this across 3 different machines, one running just openvpn which my extract is from, one I am using openvpn network manager & gnome 3 and another running tunnelblik. On all 3 setups, it complains the key is missing when checking the logs and that password verification has failed, yet when checking in tqsl, it tells me the certificate is not password protected.
It sounds like all is for naught anyway if the server cert is expired,
Thanks anyway
DH
On 17 Sep 2023, at 17:51, Apostolos Kefalas sv1ljj@raag.org wrote:
Hello Dave,
OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Cannot load private key file /etc/openvpn/client.key Error: private key password verification failed
It seems to me that you have missed a step:
The private key needs to be extracted from the YOURCALL file.
This is in the file .tqsl/keys/MM0RFN and needs to be in /etc/openvpn/client.key
Be carefull to copy only the key and nothing else from this file. Also do not copy "<PRIVATE_KEY:916>" from the first line just the "-----BEGIN PRIVATE KEY--- --"
Unfortunately if you manage to setup correctly openvpn on your machine, still you are not going to have fun with AMPR, as the server certificate has expired. I have sent an e-mail on this list but it seems OH7LZB is not reachable from here.
I hope this helps
73 Apostolos, SV1LJJ
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
Hi to all
I have also tried to connect and, indeed, the certificate has expired ("VERIFY ERROR: depth=1, error=certificate has expired: O=AMPRnet, CN=OH7LZB VPN service CA, serial=15176845288007500179")
There is also the problem that the key was generated with an old version of OpensSSL and in modern versions (in my case I use Fedora 38) it fails with: OpenSSL: error:0A00018F:SSL routines::ee key too small:
In the latter case it can continue working with the option: tls-cipher DEFAULT:@SECLEVEL=0
In any case, the certificate is no longer valid.
Does the VPN service still exist? If not, they should remove the Howto from the documentation.
Bumping this to see if anyone has had success communicating with OH7LZB on updating his server-side certificate, or if we're all just assuming at this point that the VPN service has been discontinued.
73, Brian, N0QVC
-
Apostolos Kefalas -
brian.klier@gmail.com -
Chris -
Dave Hibberd -
lu3vea@gmail.com