Skip to content

VPN cert expiration

For some reason last night, I lost connection to the VPN gateway. I was done, so I turned off my computer. This morning I tried to connect and found that my certificate had expired. However, it took some digging to figure that out. Here is what happened:

I run bitmask (latest bundle af552318), I press "Turn on" and I see it saying "Connecting" briefly, but then almost immediately, the button returns to "Turn on". If I let it sit there for a minute or so, it seems like the state changes back to "Connecting" all on its own, and this time it stays there longer. There is no error in the bitmaskd.log, which is strange. After some time, I got annoyed and I went to the server to see if I was even connecting to the server, and I watched the openvpn logs and found this:

Mon Sep 18 09:54:38 2017 107.179.136.100:34885 VERIFY ERROR: depth=0, error=certificate has expired: /CN=UNLIMITED6yb9pfs618x0vs0gsjj74b7gt
Mon Sep 18 09:54:38 2017 107.179.136.100:34885 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Sep 18 09:54:38 2017 107.179.136.100:34885 TLS Error: TLS object -> incoming plaintext read error
Mon Sep 18 09:54:38 2017 107.179.136.100:34885 TLS Error: TLS handshake failed
Mon Sep 18 09:54:38 2017 107.179.136.100:34885 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 TLS: Initial packet from [AF_INET]107.179.136.100:45241, sid=e9a925ab d9ad2f83
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 VERIFY OK: depth=1, /O=Riseup_Networks/OU=https://riseup.net/CN=Riseup_Networks_Root_CA__client_certificates_only__
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 VERIFY ERROR: depth=0, error=certificate has expired: /CN=UNLIMITED6yb9pfs618x0vs0gsjj74b7gt
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 TLS Error: TLS object -> incoming plaintext read error
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 TLS Error: TLS handshake failed
Mon Sep 18 09:54:58 2017 107.179.136.100:45241 SIGUSR1[soft,tls-error] received, client-instance restarting

So it seems my certificate expired!

I guess this makes me think a few things need to happen: 1. I need a new certificate automatically; if something fails, it should probably provide some kind of meaningful error so we can figure out what is going on.

I moved my ~/.config/leap directory out of the way, and re-launched bitmask to get new ones.