Issues with SSL certs using SSTP

MarkSpringate · July 25, 2020, 11:15am

Hi,

We have an issue with some new SSL certificates that we have got, if we use our own self created certs the SSTP VPN connection works,

However we have a requirement to change/update the certs, I have the ca.crt, the server.crt and the appropriate key file, which I have validated using SSL tools and they all match and pass successfully.

However when we use them on the VyOS firewall, we get the below error in windows 10 on connecting: The token supplied to the function is invalid

The only log file entry that happens at the time is below:

Jul 25 09:53:44 vyos accel-sstp: sstp: started
Jul 25 09:53:44 vyos accel-sstp: :: recv [HTTP <#026#003>]
Jul 25 09:53:44 vyos accel-sstp: :: send [HTTP <HTTP/1.1 400 Bad Request>]
Jul 25 09:53:44 vyos accel-sstp: :: send [HTTP <Date: Sat, 25 Jul 2020 09:53:44 GMT>]
Jul 25 09:53:44 vyos accel-sstp: sstp: disconnected

Any ideas, I have checked through other topics with similar issues and the fixes haven’t resolved it for me?

Mark

Dmitry · July 25, 2020, 2:57pm

Hello @MarkSpringate, did you try to open your host via Internet Explorer?
Which error do you receive in Internet Explorer and on VyOS side?
Which is TLS version? I guess in new libssl denied the old versions

MarkSpringate · July 25, 2020, 3:00pm

Hi @Dmitry

Many thanks for the reply

I internet explorer I get the following:
Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

In firefox I see the below (posting it as the message is different in case it helps):
Secure Connection Failed

An error occurred during a connection to 192.168.71.100. PR_END_OF_FILE_ERROR

I am not sure how to check what TLS version is being used, but I am using the latest rolling version of VyOS: VyOS 1.3-rolling-202007240117

Dmitry · July 25, 2020, 3:08pm

I think you can check ciphers and version by the following commands

openssl x509 -text -noout -in /config/auth/sstp/ca.crt 
openssl x509 -text -noout -in /config/auth/sstp/server.crt

Or you can check with some online checker.

MarkSpringate · July 25, 2020, 3:27pm

The top of the output on there shows the below for both the ca and server.crt files:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption

The only other version field or anything related to TLS is below:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

Dmitry · July 26, 2020, 5:31pm

Hello @MarkSpringate, can you run following commands and provide output

accel-cmd -p 2005 restart
 show log tail 50

If it possible provide, provide please also sstp configuration commands

 show configuration commands | match sstp

MarkSpringate · July 27, 2020, 6:41am

Hi @Dmitry

thanks for the reply again, please find output below:

vyos@vyos:/var/log$ show log tail 50
Jul 25 15:25:58 vyos kernel: [93215.784136] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:25:58 vyos kernel: [93215.784694] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:25:58 vyos kernel: [93215.785332] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:26:36 vyos kernel: [93253.779099] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:26:36 vyos kernel: [93253.781160] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:26:36 vyos kernel: [93253.782406] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:26:36 vyos kernel: [93253.783656] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:26:36 vyos kernel: [93253.784394] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:26:37 vyos kernel: [93254.779348] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:27:07 vyos kernel: [93284.779143] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 25 15:27:37 vyos kernel: [93314.780278] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
Jul 26 00:00:01 vyos systemd[1]: Starting Rotate log files…
Jul 26 00:00:01 vyos systemd[1]: Stopping Atop advanced performance monitor…
Jul 26 00:00:01 vyos systemd[1]: atop.service: Succeeded.
Jul 26 00:00:01 vyos systemd[1]: Stopped Atop advanced performance monitor.
Jul 26 00:00:01 vyos systemd[1]: Started Atop advanced performance monitor.
Jul 26 00:00:01 vyos systemd[1]: logrotate.service: Succeeded.
Jul 26 00:00:01 vyos systemd[1]: Started Rotate log files.
Jul 26 03:40:09 vyos systemd[1]: Starting Certbot…
Jul 26 03:40:10 vyos systemd[1]: certbot.service: Succeeded.
Jul 26 03:40:10 vyos systemd[1]: Started Certbot.
Jul 26 13:50:09 vyos systemd[1]: Starting Cleanup of Temporary Directories…
Jul 26 13:50:09 vyos systemd-tmpfiles[3513]: [/usr/lib/tmpfiles.d/heartbeat.conf:3] Line references path below legacy directory /var/run/, updating /var/run/heartbeat → /run/heartbeat; please update the tmpfiles.d/ drop-in file accordingly.
Jul 26 13:50:09 vyos systemd-tmpfiles[3513]: [/usr/lib/tmpfiles.d/heartbeat.conf:4] Line references path below legacy directory /var/run/, updating /var/run/heartbeat/ccm → /run/heartbeat/ccm; please update the tmpfiles.d/ drop-in file accordingly.
Jul 26 13:50:09 vyos systemd-tmpfiles[3513]: [/usr/lib/tmpfiles.d/heartbeat.conf:5] Line references path below legacy directory /var/run/, updating /var/run/heartbeat/crm → /run/heartbeat/crm; please update the tmpfiles.d/ drop-in file accordingly.
Jul 26 13:50:09 vyos systemd-tmpfiles[3513]: [/usr/lib/tmpfiles.d/heartbeat.conf:6] Line references path below legacy directory /var/run/, updating /var/run/heartbeat/dopd → /run/heartbeat/dopd; please update the tmpfiles.d/ drop-in file accordingly.
Jul 26 13:50:09 vyos systemd-tmpfiles[3513]: [/usr/lib/tmpfiles.d/resource-agents.conf:1] Duplicate line for path “/run/resource-agents”, ignoring.
Jul 26 13:50:09 vyos systemd[1]: systemd-tmpfiles-clean.service: Succeeded.
Jul 26 13:50:09 vyos systemd[1]: Started Cleanup of Temporary Directories.
Jul 26 22:02:09 vyos systemd[1]: Starting Certbot…
Jul 26 22:02:10 vyos systemd[1]: certbot.service: Succeeded.
Jul 26 22:02:10 vyos systemd[1]: Started Certbot.
Jul 27 00:00:01 vyos systemd[1]: Starting Rotate log files…
Jul 27 00:00:01 vyos systemd[1]: Stopping Atop advanced performance monitor…
Jul 27 00:00:01 vyos systemd[1]: atop.service: Succeeded.
Jul 27 00:00:01 vyos systemd[1]: Stopped Atop advanced performance monitor.
Jul 27 00:00:01 vyos systemd[1]: Started Atop advanced performance monitor.
Jul 27 00:00:02 vyos systemd[1]: logrotate.service: Succeeded.
Jul 27 00:00:02 vyos systemd[1]: Started Rotate log files.
Jul 27 06:39:04 vyos accel-sstp: cli: tcp: new connection from 127.0.0.1
Jul 27 06:39:04 vyos accel-sstp: terminate, sig = 15
Jul 27 06:39:05 vyos systemd[1]: accel-ppp@sstp.service: Succeeded.
Jul 27 06:39:05 vyos systemd[1]: accel-ppp@sstp.service: Service RestartSec=100ms expired, scheduling restart.
Jul 27 06:39:05 vyos systemd[1]: accel-ppp@sstp.service: Scheduled restart job, restart counter is at 1.
Jul 27 06:39:05 vyos systemd[1]: Stopped Accel-PPP - High performance VPN server application for Linux.
Jul 27 06:39:05 vyos systemd[1]: Starting Accel-PPP - High performance VPN server application for Linux…
Jul 27 06:39:05 vyos systemd[1]: Started Accel-PPP - High performance VPN server application for Linux.
Jul 27 06:39:05 vyos accel-sstp: sstp: ssl-keyfile error: error:0909006C:PEM routines:get_name:no start line
Jul 27 06:39:05 vyos accel-sstp: sstp: SSL/TLS support disabled, PROXY support disabled
Jul 27 06:39:05 vyos accel-sstp: sstp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup

set vpn sstp authentication local-users username csadmin password ‘password’
set vpn sstp authentication mode ‘local’
set vpn sstp authentication protocols ‘mschap’
set vpn sstp authentication protocols ‘mschap-v2’
set vpn sstp network-settings client-ip-settings gateway-address ‘’
set vpn sstp network-settings client-ip-settings subnet ‘’
set vpn sstp network-settings name-server ‘8.8.8.8’
set vpn sstp network-settings name-server ‘x.x.x.x’
set vpn sstp ppp-settings lcp-echo-timeout ‘600’
set vpn sstp ppp-settings mppe ‘require’
set vpn sstp ssl ca-cert-file ‘/config/auth/sstp/ca.crt’
set vpn sstp ssl cert-file ‘/config/auth/sstp/server.crt’
set vpn sstp ssl key-file ‘/config/auth/sstp/server.key’

Dmitry · July 27, 2020, 9:13am

Hello @MarkSpringate, please fix this error

Jul 27 06:39:05 vyos accel-sstp: sstp: ssl-keyfile error: error:0909006C:PEM routines:get_name:no start line

You have got issue with ssl-keyfile

Note: please don’t post your public IPs, your latest message redacted by me.

MarkSpringate · July 27, 2020, 9:31am

Hi @Dmitry

I clearly missed one of the IP addresses! thanks for that

The key file itself passes the ssl checker tools that we have tried, is there any pointer as to what is wrong with the file?

Mark

Dmitry · July 27, 2020, 9:46am

@MarkSpringate, show please sudo head -n 1 /config/auth/sstp/server.key
In the output you should get something like this

vyos@RTR1:~$ sudo head -n 1 /config/auth/sstp/server.key 
-----BEGIN PRIVATE KEY-----

MarkSpringate · July 27, 2020, 9:52am

vyos@vyos:/config/auth/sstp$ sudo head -n 1 /config/auth/sstp/server.key
-----BEGIN PRIVATE KEY-----
vyos@vyos:/config/auth/sstp$

Dmitry · July 27, 2020, 10:00am

Hm, that is very odd, I don’t know how to reproduce this issue without certificates. Check please also end of file

MarkSpringate · July 27, 2020, 1:47pm

Hi @Dmitry

I think I may have got a step further and am testing it tomorrow morning. It looks like the content of the key file is OK but the file encoding may have been the issue, the .key file was set to UTF-8-BOM which I have now changed to UTF-8, on my test VyOS firewall I no longer get the above errors but due to the certs being registered against a specific CA I need to test it in the morning to make sure my username/password auth works correctly on the live firewall

Mark

MarkSpringate · July 28, 2020, 7:07am

Hi @Dmitry

Well one step forward I feel! I am no longer getting the token error, but when I try to connect it now gives me the below:
The certificate’s CN name does not match the passed value

Which is a little odd considering the SSL certs as well as the key file are now passing all checks

Mark

Dmitry · July 28, 2020, 7:20am

Hello @MarkSpringate, check please again with Internet Explorer.
Do you have domain-name or IP address in certificate CN?
Does this certificate was produced by the Cert center?

MarkSpringate · July 28, 2020, 7:42am

Hi @Dmitry

Fixed it, it is exactly what you thought, I had the IP address in the config details rather than the DNS name which was used for the cert!

For info, the fix for the error “The token supplied to the function is invalid” was to open the .key file in notepad++ and click Encoding > and change it to UTF-8 to match the .cert files, originally it was in UTF-8-BOM format

I need to test it again on the live firewall tomorrow, but it is now working perfectly on the test one

Mark

system · July 30, 2020, 7:56am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.