Home SSL ns-cert-type is deprecated. use –remote-cert-tls instead

ns-cert-type is deprecated. use –remote-cert-tls instead

326
0

Warning: ns-cert-type is deprecated. use –remote-cert-tls instead

Warning: ns-cert-type is deprecated. use –remote-cert-tls instead

OpenVPN – WARNING: –ns-cert-type is DEPRECATED. Use –remote-cert-tls instead.

You might see the errors/warning while connecting open VPN:

If you have the below error, then i have few questions for you before i start providing solution for it.

View Log:

hu Jan 31 20:52:50 2021 WARNING: –ns-cert-type is DEPRECATED.  Use –remote-cert-tls instead.
Thu Jan 31 20:52:50 2021 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Jan 31 20:52:50 2021 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Thu Jan 31 20:52:50 2021 MANAGEMENT: >STATE:1548964370,RESOLVE,,,,,,
Thu Jan 31 20:52:50 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]MY IP
Thu Jan 31 20:52:50 2021 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jan 31 20:52:50 2021 UDP link local: (not bound)
Thu Jan 31 20:52:50 2021 UDP link remote: [AF_INET]MY IP
Thu Jan 31 20:52:50 2021 MANAGEMENT: >STATE:1548964370,WAIT,,,,,,
Thu Jan 31 20:53:50 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 31 20:53:50 2021 TLS Error: TLS handshake failed
Thu Jan 31 20:53:50 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 31 20:53:50 2021 MANAGEMENT: >STATE:1548964430,RECONNECTING,tls-error,,,,,
Thu Jan 31 20:53:50 2021 Restart pause, 5 second(s)

Before regenerating the certificate, did you alter the value of default crl days in default_crl_days in /etc/openvpn/easy-rsa/openssl.cnfbefore Although, to be honest, I don’t think it matters. Regenerating a new certificate should give you 30 extra days even if you didn’t adjust that value…

I’m not sure, but maybe the OpenVPN service needs to be restarted in order to use the newly produced certificate? Even so, I’m only guessing that your problem is similar to the one I linked to. However, the fact that it’s just been working for a month makes that seem more feasible.

I don’t have an OpenVPN server operating right now, so I can’t double-check the command you’ll need to restart the OpenVPN service right now. However, I’m guessing the service is called “openvpn” or “openvpn-something.” One option is to use tab-complete to guess the name, which might look like this:

To see what choices are available.

On newer Turnkey servers (v14.0+), you can use systemctl as an alternative command. The format is a little different, but it accomplishes the same goal:

Alternatively, simply restarting your server will ensure that all processes and services are restarted.

You also mention that you’ve attempted to regenerate a user configuration (.opvn file). Have you tried using that updated config (after the CRL regeneration and restarting OpenVPN)? Is it possible that this is also required? Sorry for not being able to provide you with more detailed and definitive answers…

If not, please let us know in the comments section below.

LEAVE A REPLY

Please enter your comment!
Please enter your name here