OpenVPN error=certificate is not yet valid

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
MajesticPete
DD-WRT Novice


Joined: 11 Jan 2010
Posts: 14
PostPosted: Thu Jan 14, 2010 21:24    Post subject: OpenVPN error=certificate is not yet valid Reply with quote
trying to setup openvpn daemon on build13064 following the "easy VPN" tutorial in the wiki and getting the following error logged in /var/log/messages:

Code:
Jan 14 15:08:13 DD-WRT daemon.notice openvpn[1548]: 192.168.1.166:4822 TLS: Initial packet from 192.168.1.166:4822, sid=afa1a9d5 d9331068
Jan 14 15:08:13 DD-WRT daemon.err openvpn[1548]: 192.168.1.166:4822 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=US/ST=MO/L=STL/O=private/OU
=home/CN=server/emailAddress=none@none.com


I've checked the dates on certificates - valid, issuing server, dd-wrt, and the client - and they're all synced from the same internal time source correctly.

dd-wrt wan = 192.168.1.65
dd-wrt lan = 192.168.2.0/24
openvpn client connects to 192.168.1.65 from 192.168.1.0/24 network.

my server-side openvpn.conf:
Code:
mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.2.1 255.255.255.0 192.168.2.50 192.168.2.100
 # Gateway (VPN Server)   Subnetmask   Start-IP   End-IP
keepalive 10 120
daemon
verb 5
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
float


client-side conf (openVPN GUI):
Code:
remote 192.168.1.65 1194

tls-client
dev tap0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float

ca ca.crt
cert client1.crt
key client1.key
dh dh1024.pem

ns-cert-type server



I have tried re-issuing all of the certs, but still the same error... Is there anything else i can try?
Back to top View user's profile Send private message
Sponsor
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland
PostPosted: Thu Jan 14, 2010 21:37    Post subject: Reply with quote
Sync both ends time?
Back to top View user's profile Send private message
MajesticPete
DD-WRT Novice


Joined: 11 Jan 2010
Posts: 14
PostPosted: Fri Jan 15, 2010 1:28    Post subject: Reply with quote
Yup, both ends pull time from the same time source (windows DC) and are completely in sync
Back to top View user's profile Send private message
dc
DD-WRT User


Joined: 08 Jun 2006
Posts: 247
Location: Prince Edward Island - Canada
PostPosted: Fri Jan 15, 2010 19:32    Post subject: Reply with quote
MajesticPete wrote:
Yup, both ends pull time from the same time source (windows DC) and are completely in sync


I found that in some instances the gmt time was used on the certs for signing but the local time was used to check the values.. in other words the certs did not become valid until (in my case) 4 hours after I created them.
Back to top View user's profile Send private message
theirongiant
DD-WRT Novice


Joined: 25 Apr 2009
Posts: 29
PostPosted: Sun Aug 15, 2010 9:36    Post subject: Reply with quote
I'm going to try setting the time zone on my computer to GMT, making the cert, setting it back, and see if that sticks.

edit: nevermind, it was much easier: I just set the router's clock to UTC and it worked immediately! I'll set it back to my own time zone tomorrow.
Back to top View user's profile Send private message
priority
DD-WRT Novice


Joined: 18 Aug 2012
Posts: 7
PostPosted: Sat Aug 18, 2012 18:54    Post subject: Reply with quote
theirongiant wrote:
I just set the router's clock to UTC and it worked immediately! I'll set it back to my own time zone tomorrow.


Thanks...was about to pull my hair out fighting the same issue.
Back to top View user's profile Send private message
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1557
Location: Zwolle
PostPosted: Sat Aug 18, 2012 19:34    Post subject: Reply with quote
Yes, UTC with no daylight savings is the best setting in respect to setting a proper system time. It seems that uclibc from DD-WRT has been stripped of some code and does not support other timezones, therefore programs which rely upon knowing the proper time fail.
_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


Back to top View user's profile Send private message Yahoo Messenger MSN Messenger
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum