Re: What to do if VPN connection is broken in Fedora 43

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Does OpenVPN support CADir format?

On Mon, Aug 18, 2025 at 6:32 PM Michael Catanzaro <mcatanzaro@xxxxxxxxxx> wrote:
Hi, after upgrading to Fedora 43 I noticed my OpenVPN connection was
broken due to
https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile

I see in my journal:

nm-openvpn[32218]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305).
OpenVPN ignores --cipher for cipher negotiations.
nm-openvpn[32218]: Options error: --ca fails with
'/etc/pki/tls/certs/ca-bundle.crt': No such file or directory (errno=2)
nm-openvpn[32218]: Options error: Please correct these errors.
nm-openvpn[32218]: Use --help for more information.

I searched NetworkManager-openvpn, NetworkManager, and OpenVPN upstream
git repos and Fedora spec files and couldn't find any references to
ca-bundle.crt in any of them. Then eventually I found it specified
under my VPN configuration that's installed into
/etc/NetworkManager/system-connections:

[vpn]
ca=/etc/pki/tls/certs/ca-bundle.crt

Workaround is to just change the file path:

[vpn]
ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

And that worked.

(Next I thought "why allow all trusted certificates?" and wound up
selecting the particular root certificate that I expect my server
certificate to be signed by, which also worked. Nice when things work.)

Michael


--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Dmitry Belyavskiy
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux