OpenVPN error=certificate is not yet valid

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MajesticPete
DD-WRT Novice


Joined: 11 Jan 2010
Posts: 14

PostPosted: Thu Jan 14, 2010 21:24    Post subject: OpenVPN error=certificate is not yet valid Reply with quote
trying to setup openvpn daemon on build13064 following the "easy VPN" tutorial in the wiki and getting the following error logged in /var/log/messages:

Code:
Jan 14 15:08:13 DD-WRT daemon.notice openvpn[1548]: 192.168.1.166:4822 TLS: Initial packet from 192.168.1.166:4822, sid=afa1a9d5 d9331068
Jan 14 15:08:13 DD-WRT daemon.err openvpn[1548]: 192.168.1.166:4822 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=US/ST=MO/L=STL/O=private/OU
=home/CN=server/emailAddress=none@none.com


I've checked the dates on certificates - valid, issuing server, dd-wrt, and the client - and they're all synced from the same internal time source correctly.

dd-wrt wan = 192.168.1.65
dd-wrt lan = 192.168.2.0/24
openvpn client connects to 192.168.1.65 from 192.168.1.0/24 network.

my server-side openvpn.conf:
Code:
mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.2.1 255.255.255.0 192.168.2.50 192.168.2.100
 # Gateway (VPN Server)   Subnetmask   Start-IP   End-IP
keepalive 10 120
daemon
verb 5
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
float


client-side conf (openVPN GUI):
Code:
remote 192.168.1.65 1194

tls-client
dev tap0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float

ca ca.crt
cert client1.crt
key client1.key
dh dh1024.pem

ns-cert-type server



I have tried re-issuing all of the certs, but still the same error... Is there anything else i can try?
Sponsor
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Thu Jan 14, 2010 21:37    Post subject: Reply with quote
Sync both ends time?
_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
MajesticPete
DD-WRT Novice


Joined: 11 Jan 2010
Posts: 14

PostPosted: Fri Jan 15, 2010 1:28    Post subject: Reply with quote
Yup, both ends pull time from the same time source (windows DC) and are completely in sync
dc
DD-WRT User


Joined: 08 Jun 2006
Posts: 247
Location: Prince Edward Island - Canada

PostPosted: Fri Jan 15, 2010 19:32    Post subject: Reply with quote
MajesticPete wrote:
Yup, both ends pull time from the same time source (windows DC) and are completely in sync


I found that in some instances the gmt time was used on the certs for signing but the local time was used to check the values.. in other words the certs did not become valid until (in my case) 4 hours after I created them.
theirongiant
DD-WRT Novice


Joined: 25 Apr 2009
Posts: 29

PostPosted: Sun Aug 15, 2010 9:36    Post subject: Reply with quote
I'm going to try setting the time zone on my computer to GMT, making the cert, setting it back, and see if that sticks.

edit: nevermind, it was much easier: I just set the router's clock to UTC and it worked immediately! I'll set it back to my own time zone tomorrow.
priority
DD-WRT Novice


Joined: 18 Aug 2012
Posts: 7

PostPosted: Sat Aug 18, 2012 18:54    Post subject: Reply with quote
theirongiant wrote:
I just set the router's clock to UTC and it worked immediately! I'll set it back to my own time zone tomorrow.


Thanks...was about to pull my hair out fighting the same issue.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1545
Location: Zwolle

PostPosted: Sat Aug 18, 2012 19:34    Post subject: Reply with quote
Yes, UTC with no daylight savings is the best setting in respect to setting a proper system time. It seems that uclibc from DD-WRT has been stripped of some code and does not support other timezones, therefore programs which rely upon knowing the proper time fail.
_________________
2 times RT-AC56U running 33772 with entware-ng, Yamon 3 (SFE disabled).

Asus RT-N16 running Merlin LTS fork RT-N16_3.0.0.4_374.43_2-25E8j9527.trx with entware-ng.

2 times Asus RT-N16 running dd-wrt.v24-33772_NEWD-2_K3.x_big.bin with entware-ng

E4200 V1 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running dd-wrt.v24-33772_NEWD-2_K3.x_mega-e3000.bin (bridged with LAN cable)


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum