OpenVPN stuck at Generating certificate authority

I have this issue since several Turris releases (3.9 - 3.10.3). I tried to setup OpenVPN using foris, but having the same loading screen for months now. It’s not going away with new Turris updates or reboots. I posted this in an other thread but got not help (thread was closed) by Pepe with the comment I should run the command below or wait for the next Turris release. Both did not work!

wget https://gitlab.labs.nic.cz/turris/turris-os-packages/raw/test/cznic/turris-cagen/files/cagen-status.sh -O /usr/bin/turris-cagen-status

Device Turris Omnia - rtrom01
Serial number 47244660958
Turris OS version 3.10.3
Kernel version 4.4.138-1e8e1b4c23f383e990eb3c4f490f5f2e-1

In general what you can do is uninstall openvpn packages you have installed and reinstall them again.
In FORIS , section Updater, untick Openvpn, wait for next run of updater. Once done, tick it again and wait for next run of updater and try to generate new CA.

If that will still won’t work. You can go to shell (ssh) and use “opkg” to remove it manually (with “force” option).

and before you do anything, use “schnapps” to create backup snapshot, so you can easily return back if you mess it.

thank you for your response.

I did:

  • Deinstall and Reinstall of OpenVPN Package via Foris --> No success. The OpenVPN options disappaers in Foris and after reinstall I can click it but get again the CA generation loading screen
  • Deinstall all packages with “vpn” in name using opkg remove --force-depends and deleted openvpn config in /etc/config/ and reinstall of the OpenVPN package in Foris after reboot. --> No success. I see the CA generation loading screen again.

Any other ideas? Is there an other old config file which could lead to this behavior?

Hello,

Would you please check if you have any files in /etc/dhparam?

The following command should do it:

ls -l /etc/dhparam

or if you can check /var/log/messages there should be something or you can generate diagnostics in Foris, send them to tech.support@turris.cz, and I’ll check why it doesn’t work for you.

results of

ls /etc/dhparam

dh-default.pem dh2048.pem dh4096.pem dh8192.pem

Can’t find any suspicous in /var/log/messages. Will send you the diagnostics via email with Topic: “OpenVPN stuck at Generating certificate authority”

Thanks!

Sent the diagnostics.

For your reference:

Support Ticket Opened [#002671]

Hello,

can you give me any update about my ticket? Didn’t hear from you or Turris support since I submitted my logs one month ago.

Hello!

Saw this post after searching for some input regarding the “certificate authority cert generation is stuck” issue.

I have the same issue on my router.

Is there any status update or workaround for getting OpenVPN working on the Turris Omnia?

Cheers,

kwaH

Mám ten samý problém - zatím jsem neobjevil, že by někde ve foru bylo řeěení. Nebo se pletu? Jak dopadl zakladatel tohoto vlákna po půl roce? Díky, Jakub

Did you try?

Hi!

Unfortunately doing a

cd /etc/ssl/ca/openvpn
rm *

did not help.

What I tried:

  • Uninstall the OpenVPN package via “Updater” menu item
  • Delete files in the folder /etc/ssl/ca/openvpn/
  • Reboot
  • Reinstall OpenVPN package
  • Do not reboot but wait for the process openssl dhparam -out /etc/dhparam/dh2048.pem.new 2048 to finish (can be seen when logged into the router via SSH in top)
  • Reboot

Result:

  • The folder /etc/ssl/ca/openvpn/ is empty
  • In the webinterface, the status for OpenVPN is still “Generating certificate authority”

Any other idea for a solution/workaround?

Thank you!

Cheers,

kwaH

just few notes…

You should also delete “/etc/dhparam” not only “/etc/ssl/ca/openvpn” …

Generate cert.authority has more steps. Dhparam, CA.cert/key/crl and optionally user files creation.
Just guessing ,…If you reboot it just after dhparam step you are possibly (as you have “ca” folder empty) waiting for ca generation which is very possibly not taking action after that reboot. Somewhere is indicated that generation of ca was started, but not finished, so foris is just passing such info. (so you can generate it manually …
… or , go back to Foris-openvpn plugin and delete whole CA again (and check via ssh, that it is really gone, eventually manually remove any residual files), regenerate it again.
It really takes 10-30 mins to finish and sometimes it might get frozen. After dhparam you will see in “top”(htop) openssl another/next process creating the essential files for you. if you start creating user files, you will see another one. Once done all smoothly, you will have files at … dhparam (/etc/dhparam) , ca (/etc/ssl/ca/openvpn) uci-config( /etc/config/openvpn) , …

As workaround you can do that “dhparam” “ca” stuff manually (using: openssl, easyrsa) and create openvpn uci config (there should be a template already or some receipts files). Also you have to manually take care of “zone” and “firewall” setup for your openvpn instance.

If you used updater to reinstall openvpn, there should be snapshot created, so you don’t need to wipe the openvpn installation, just rollback using schnapps to desired snapshot and start again.

Hello!

Thank you all who have suggested steps for the solution!

I finally got it working with the following order of config steps:

  1. Uninstall OpenVPN via Web-UI (“Updater” -> uncheck “OpenVPN” -> “Save Changes”)
  2. Login to the router via SSH
  3. Delete the folder /etc/dhparam (rm -r /etc/dhparam)
  4. Delete the folder /etc/ssl/ca/openvpn (rm -r /etc/ssl/ca/openvpn)
  5. Start the tool “htop” in the SSH session
  6. Install OpenVPN via Web-UI (“Updater” -> check “OpenVPN” -> “Save Changes”) and stay in that web menu (do not change to “OPENVPN” menu yet)
  7. In the SSH session (in htop) you should see a process openssl dhparam -out /etc/dhparam/dh2048.pem.new - wait for it to finish/disappear (should take about 30 minutes)
  8. Click on “OPENVPN” in the Web-UI and start further configuration (Generate CA, etc. etc.)

I understand that some steps might not be truly necessary but this is how it worked for me.
Hope it helps!

Further more a bug that I noticed: if you change the transport protocol to be TCP instead of UDP, it seams that the software does not correctly create the appropriate firewall rule for accepting connections on the configured TCP port.

I had to adapt the firewall settings via luci to make OpenVPN work with a custom setting for port and protocol.

Cheers,

kwaH

Thank’s to all! This procedure works :slight_smile:

Jakub