Certificate Verification Error

Currently reading
Certificate Verification Error

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
I'm getting the attached error when trying to login in to my vpn server on my DS718+ through the openvpn app on my iphone. I have an email from the Expiry Bot at LE that says the certificate expires on 11/21 (so, not expired). I haven't changed any settings and this has been working for a couple of years for me. Not sure what changed now. Upgraded DSM to the latest (update 4 that just came out), but no solve. Any ideas?
 

Attachments

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
LE that expires in 2021? Think that's some kind of mistake. They last 3 month.
 

Telos

Mega Poster
Don't select "certificate" in the preceding pop-up window... choose "continue". That's how Android works, anyway. Maybe the same for iphone.
 

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
Don't select "certificate" in the preceding pop-up window... choose "continue". That's how Android works, anyway. Maybe the same for iphone.
not an option in iOS. In the settings for this profile, none is selected for certificate.
 

fredbert

Giga Poster
Yep for iOS, don't select certificate.

However, I think that if you have changed settings in the OpenVPN server then it's best to export the .ovpn again and reinstall on you devices. I don't use the DSM VPN Server rather VPN Plus on SRM, and there may be subtle differences.
 

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
Yep for iOS, don't select certificate.

However, I think that if you have changed settings in the OpenVPN server then it's best to export the .ovpn again and reinstall on you devices. I don't use the DSM VPN Server rather VPN Plus on SRM, and there may be subtle differences.
i will probably have to try that next. Or maybe first I’ll renew LÊ cert and see if it changes anything. I remember setting up the first time was hard for me. iOS doesn’t accept any files with the keys and so i had to put it in the opvn file at the bottom. Not sure i remember full process. Any links on how to do this (which file to pull from once the three files are exported from DSM?).

maybe i should look in to changing to srm as well since i have rt2600ac router. Wouldn’t have to port fwd then to DSM. Any drawbacks?
 

fredbert

Giga Poster
I was going to say no drawbacks but there are things to think about:
  1. Do you want normal users logging onto the router? I don't so:
    • Installed LDAP Server on the NAS and created a set of users on there plus a vpnusers group
    • Connected the RT to the LDAP server and assigned VPN Plus access to vpnusers.
    • The NAS can be used by these accounts to manage their passwords etc. and I stopped permission to access other NAS services.
  2. LE certificate renewal is tricky or manual if you have to share one IP between devices. Synology's SSL-VPN service will use the one certificate that SRM supports so you need to decide how to maintain it (or resign yourself to self-signed). ... this isn't really a drawback since SSL-VPN isn't on the NAS VPN server.**
Otherwise, haven't found any drawbacks and the, ahem, plus is you can use SSL VPN and WebVPN if you want to. And the iOS VPN Plus app.

Each NAS/router has a limit on the number of connections to each type of VPN. My DS218+ allows 30 concurrent connections which is more than the RT2600ac's 20, but I've never hit this limit.

The 'plus' VPNs require a licence per concurrently connected user (it's per account so two connections on the same account is 1 licence). You have a free one and extras are $10 + vat and non-transferrable to a new RT/MR.

We discussed this a bit here too VPN server: on DSM or SRM?


**Rusty will say to run the letsencrypt Docker container to resolve this, but I still haven't sat down and worked this through.
 
Last edited:

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
OK. I'm an idiot. the DDNS associated with my DS718+ was not expired, but the DDNS associated with my rt2600ac was expired. And the latter is what I point the openvpn config file to...ergo, the certificate verification error. All is well now.

I'm going to post another question though related to my process of renewing the certs and which DDNS I should really be using. After racquetball late tonight!!
 

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
I spoke too soon. So, i did need to renew my certificate, and now when I click on the profile in the openvpn app it says it is connected, however, no traffic gets through. Any thoughts?
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
firewall access for your vpn subnet?
 

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
It appears it was advice I got from this website to fix dns leaking: adding "block-outside-dns" to the config file of openvpn. This worked for sometime for me but at some point stopped (wonder if DNS over HTTPS in SRM update affected this?). It looked like it wouldn't resolve DNS queries once connected to the VPN. Removing the line allows a connection...at least on my windows 10 laptop. Now to check the iphone.

EDIT: Yep, that was the issue on the iphone as well. Strange that it was working before and now it did not.
 
Last edited:

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top