Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenVPN Ver 2.6.12 Connectivity Issue with OpenVPN Connect V3 #639

Open
Cancer-zern opened this issue Nov 6, 2024 · 23 comments
Open

OpenVPN Ver 2.6.12 Connectivity Issue with OpenVPN Connect V3 #639

Cancer-zern opened this issue Nov 6, 2024 · 23 comments

Comments

@Cancer-zern
Copy link

There was an issue with OpenVPN V 2.6.12 logs are mentioned below

Logs:
2024-11-04 11:35:49 Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)

Troubleshooting:
We face that issue when we have both applications on the same PC. After connecting OpenVPN Connect V3, we will get this error in OpenVPN V 2.6.12.

  1. We install the OpenVPN V 2.6.12 and install the certificate.
  2. Check the connectivity, and it's connected.
  3. Install OpenVPN Connect V3.
  4. Create the Profile import configuration, install, and select the certificate for the profile.
  5. Check the connectivity for OpenVPN Connect V3, and it's connected.
  6. Then disconnect OpenVPN Connect V3 go back to OpenVPN V 2.6.12 and try to connect and we are getting that error.
  7. Just delete the certificate from MMC and install it again.
  8. Check the connection for OpenVPN V 2.6.12 and its connection.

Note:
We don't have this error while using OpenVPN V 2.4./2.5. with OpenVPN Connect V3.

@selvanair
Copy link
Contributor

selvanair commented Nov 6, 2024

Are you running OpenVPN from command line as administrator or from OpenVPN-GUI as limited user or some other way?

When the key stops working (after Connect V3 install), could you check whether the certificate shows as private key available? If the certificate is in the machine store, also check that permissions on the private key does not change.

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 6, 2024

I'm using OpenVPN-Gui run by my user account (run no as Admin) and install certificate for my user by certmgr.msc

@selvanair
Copy link
Contributor

I'm using OpenVPN-Gui run by my user account (run no as Admin) and install certificate for my user by certmgr.msc

Check the private key associated with the certificate is still present in user store or not after the Connect V3 install.

@Cancer-zern
Copy link
Author

Yep, still present

image

@selvanair
Copy link
Contributor

Yep, still present

I'm out of ideas. You may want to check whether the cert and key is accessible as user using, say, powershell. Something must be changing when Connect V3 is installed and the certificate is linked -- I do not use Connect so I have no way to reproduce this.

@schwabe
Copy link
Contributor

schwabe commented Nov 6, 2024

I asked the OpenVPN Connect team they have an idea what could cause this issue and their response is the following:

If OpenVPN 2.x uses same “OpenVPN Certificate Store" certificate store, then - yes. We migrated to "newer" Windows API for working with certificates, and we automatically migrate all the certificates in the "OpenVPN Certificate Store" store to non-exportable and using new CSP - "Microsoft Software Key Storage Provider" which supposed to be more secure. It is possible that after this migration it would not be possible to use them using old API, and CNG API must be used (https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal).

This certificate migration is done only when upgrading the Connect app. And also the new API that we use can still work with exportable certificates stored in older CSP. So if user has these certificates somewhere in the files, he/she can try to clear the store and add them again using windows GUI, and theoretically they should work in both app, if this is the reason for the issue.

That does not really answer the question why it is not working in this case but it indicates that there are scenarios where OpenVPN Connect messes with the keys it uses.

@schwabe
Copy link
Contributor

schwabe commented Nov 6, 2024

One question that came back is what specific version of OpenVPN Connect you are using since the statement that I written before only applies to the latest 3.5.0 version of Connect. Older version used the older API.

@selvanair
Copy link
Contributor

selvanair commented Nov 6, 2024

In OpenVN~-GUI~ we use CNG API so that could not be the issue. In fact the user says 2.4 works(!) which was probably using the legacy API. Also, we do not look for certificates in "OpenVPN Certificate Store" -- we only scan system stores for current-user and local machine.

If OpenVPN Connect only migrates certificates in its own custom store, I suppose it should not affect us. We'll need to reproduce this to know what exactly is going on.

@selvanair
Copy link
Contributor

Regarding use of CNG API:

The fact that 2.4 works and 2.6 does not, to me it appears the opposite to be the case: in 2.6 we only support CNG keys, not legacy ones. Does older Connect versions move the key to a legacy provider?

@Cancer-zern on re-installing the certificate, does it work under both Connect and OpenVPN-GUI ?

@Cancer-zern
Copy link
Author

One question that came back is what specific version of OpenVPN Connect you are using since the statement that I written before only applies to the latest 3.5.0 version of Connect. Older version used the older API.

I will check it today and let you know

@Cancer-zern
Copy link
Author

Regarding use of CNG API:

The fact that 2.4 works and 2.6 does not, to me it appears the opposite to be the case: in 2.6 we only support CNG keys, not legacy ones. Does older Connect versions move the key to a legacy provider?

@Cancer-zern on re-installing the certificate, does it work under both Connect and OpenVPN-GUI ?

yep, if I re-install certificate for windows certificate storage as certmgr.msc then 2.6.* start working and connect also working with same certificate what I've installed before.

But if I will install new certificate to OpenVPN connect, then all certificates for 2.6.* stop working again.
Each time when I have to install new certificates to OpenVPN connect v3.5.0 old version 2.6.* stop working with all certificates.
Not affecting if 2.4 or 2.5

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 7, 2024

  1. I've installed OpenVPN 2.6.12 and then certificate - connect to the server side its's working
  2. Then install OpenVPN connect 3.5.0 then install certificate for v3 - connect working fine
  3. After that I check connection for OpenVPN 2.6.12 it's not working same error
  4. Remove OpenVPN connect 3.5.0 and restart PC, it's still same error.
  5. Re-install certificate for certmgr.msc it's working again for v2.6.12

@Cancer-zern
Copy link
Author

  1. I've installed OpenVPN 2.6.12 and then certificate - connect to the server side its's working
  2. Then install OpenVPN connect 3.5.0 then install certificate for v3 - connect working fine
  3. After that I check connection for OpenVPN 2.6.12 it's not working same error
  4. Remove OpenVPN connect 3.5.0 and restart PC, it's still same error.
  5. Remove OpenVPN 2.6.12 and install OpenVPN 2.4.12 it's working without certificate re-install

@Cancer-zern
Copy link
Author

OpenVPN 2.6.12 and OpenVPN-Connect V3.4.4 is working fine together

@selvanair
Copy link
Contributor

selvanair commented Nov 7, 2024

I could not reproduce this with Connect 3.5.1 (A 100 MB download and 300 MB installed space -- ahem) and OpenVPN 2.6.11 (also tried git master version).
OS: Windows 10 Education

Uploaded the same certificate as used by OpenVPN 2.6 via cryptoapicert option into Connect V3 --- it adds the certificate and key into a custom store named "OpenVPN Certificate Store" as @schwabe mentioned. AFAICS The certificate in the default store that we use is unaffected and continues to work with OpenVPN 2.6.

I did not test how Connect 3.5.0 behaves.

See screenshots below showing certificates in the two stores -- here I'm using the one named "mra.." that can be seen to be present in two stores.

cert-store1
cert-store2

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 8, 2024

Windows 11 Enterprise
openvpn 2.6.12
openvpn-connect-3.5.1.3946

Same error as before
Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)

  1. We install the OpenVPN V 2.6.12 and install the certificate for certmgr.msc and import profile
  2. Check the connectivity, and it's connected.
  3. Install openvpn-connect-3.5.1.3946
  4. Install certificate for openvpn-connect-3.5.1.3946
  5. Try to connect from OpenVPN V 2.6.12 and we are getting that error.

Enough install certificate for openvpn-connect-3.5.1.3946 and v2.6.12 is stop working

image

image

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 8, 2024

Windows 10 Enterprise
openvpn 2.6.12
openvpn-connect-3.5.1.3946

Same error as before
Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)

  1. We install the OpenVPN V 2.6.12 and install the certificate for certmgr.msc and import profile
  2. Check the connectivity, and it's connected.
  3. Install openvpn-connect-3.5.1.3946
  4. Install certificate for openvpn-connect-3.5.1.3946
  5. Try to connect from OpenVPN V 2.6.12 and we are getting that error.

Enough install certificate for openvpn-connect-3.5.1.3946 and v2.6.12 is stop working

image

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 8, 2024

I could not reproduce this with Connect 3.5.1 (A 100 MB download and 300 MB installed space -- ahem) and OpenVPN 2.6.11 (also tried git master version). OS: Windows 10 Education

Uploaded the same certificate as used by OpenVPN 2.6 via cryptoapicert option into Connect V3 --- it adds the certificate and key into a custom store named "OpenVPN Certificate Store" as @schwabe mentioned. AFAICS The certificate in the default store that we use is unaffected and continues to work with OpenVPN 2.6.

I did not test how Connect 3.5.0 behaves.

See screenshots below showing certificates in the two stores -- here I'm using the one named "mra.." that can be seen to be present in two stores.

cert-store1 cert-store2

Windows 11 Enterprise and Windows 10 Enterprise
openvpn 2.6.11
openvpn-connect-3.5.1.3946

Same error
image

We are checking with freshly installed OS every time

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 8, 2024

  1. Install OpenVPN 2.6.12 and added certificate and connected and then disconnected
PS C:\Users\Test> Get-ChildItem -Path cert:\CurrentUser\My\ | Format-List -Property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName              : D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {}
DnsNameList              : {XXX: 44244390}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 1/25/2027 3:10:01 AM
NotBefore                : 1/25/2022 3:00:01 AM
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 4, 137...}
SerialNumber             : 5400004526200C7E45F9A11F77000100004526
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : D81F92BDFAD21AF57A085D24573B9EB380E003DD
Version                  : 3
Handle                   : 2416715395664
Issuer                   : CN=XXXXX-CA
Subject                  : CN=XXX: 44244390

  1. Install openvpn-connect-3.5.1.3946 and added certificate for this application (no more)
PS C:\Users\Test> Get-ChildItem -Path cert:\CurrentUser\My\ | Format-List -Property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName              : D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {}
DnsNameList              : {XXX: 44244390}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 1/25/2027 3:10:01 AM
NotBefore                : 1/25/2022 3:00:01 AM
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 4, 137...}
SerialNumber             : 5400004526200C7E45F9A11F77000100004526
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : D81F92BDFAD21AF57A085D24573B9EB380E003DD
Version                  : 3
Handle                   : 2416715396816
Issuer                   : CN=XXXXX-CA
Subject                  : CN=XXX: 44244390

@selvanair
Copy link
Contributor

The powershell output "before" and "after" doesn't show any significant difference in my view. The handle change may be just because the certificate enumeration has changed after Connect added one to its custom store. All other parameters are the same and nothing to indicate why the original certificate and key could stop being usable from OpenVPN 2.6.

FWIW, I also modified OpenVPN source to use "OpenVPN Certificate Store", and that also succeeds indicating that the certificate uploaded by Connect V3 is compatible with OpenVPN 2.6. But this should not matter as we only read the store "MY" for the user and machine.

No idea how to reproduce the error you see.

@Cancer-zern
Copy link
Author

After openvpn-connect-3.5.1.3946 installation and import certificate, authentification on web panels stopped working with cert:\CurrentUser\My\

Access to admin.ntpayments.net was denied
There was a problem using your login certificate.
Try contacting the system admin.
ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

@selvanair
Copy link
Contributor

This is turning out to be a Connect issue isn't it, as it's not just OpenVPN 2 that's affected? If so, please report to connect customer support.

@Cancer-zern
Copy link
Author

Cancer-zern commented Nov 20, 2024

Sure, I've added a ticket for https://support.openvpn.com/

ticket id 532649

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants