How to Fix: OpenVPN 'SSL_CTX_use_certificate:ca md too weak'

Infopackets Reader Steve T. writes:

" Dear Dennis,

I recently upgraded my OpenVPN from version 2.3.2 (back in 2014) to the latest version 2.4.6, but now my OpenVPN server is broken. I checked the log files and it says 'SSL routines:SSL_CTX_use_certificate:ca md too weak', followed by 'Cannot load certificate file /path/cert.crt'. I have tried embedding my certificates inside the server.ovpn file (rather than having it point somewhere externally), but that does not help. It simply won't load the certificate. I've researched this issue for days and keep coming across a forum post on the OpenVPN site but it doesn't make any sense to me. Can you PLEASE HELP?! "

My response:

I asked Steve if he would like to connect with me using my remote desktop service in order to have a closer look, and he agreed.

I examined the forum post Steve referenced, with some users suggesting to place "DEFAULT:@SECLEVEL=0" directive inside the configuration file, but that would bypass any certificates and thus completely remove any security the VPN has to offer and is therefore NOT recommended. Other users suggested recreating all the certificates, but that did not work either.

Another user suggested modifying the "openssl-1.0.0.cnf" configuration file, which is part of the OpenSSL package, which is used to generate certificates. Essentially, the "default_md" directive must be changed from "md5" to "sha256", otherwise OpenVPN craps out with the "SSL routines:SSL_CTX_use_certificate:ca md too weak" error message.

Further research into this issue suggests that MD5 is no longer secure enough when used in conjunction with generating certificates and that OpenSSL version 1.1 now uses SHA256 instead of MD5. For whatever reason the latest version of OpenVPN (version 2.4.6) does not have this directive changed, so you must manually modify the openssl-1.0.0.cnf configuration file to get around the problem.

How to Fix: OpenVPN 'SSL_CTX_use_certificate:ca md too weak'

Now that we understand the issue, here is what you need to do.

1. If you are using Windows, open notepad or your favorite text editor and point to C:\Program Files\OpenVPN\easy-rsa, then load the file openssl-1.0.0.cnf. If you are using Linux, the path would be /etc/openvpn/easy-rsa/openssl-1.0.0.cnf or similar. If that doesn't work, just do a search for "openssl-1.0.0.cnf" using 'find' or 'mlocate'.
    
2. Scroll down to the "default_md" directive and change it from "md5" to "sha256", then save the configuration file.
    
3. Regenerate your server keys (ca.crt, server.crt, server.key, dh4096.pem, ta.key), then recreate your server.ovpn file and include the certificates inside the file using the appropriate directives. Do not create and client files yet until you know the server.ovpn file is working. I suggest using the 'verb 3' directive as this should provide enough verbage if there are any errors.
    
4. The best way to test the newly created server.ovpn file is to launch an administrative command prompt, then run openvpn executable by pointing it to your configuration file, rather than through the graphical user interface or services.msc. For example, the line below would launch the server.ovpn file if it was located in the "config" folder - quotes must be used for the paths if they contain spaces.
   
   "C:\Program Files\OpenVPN\bin\openvpn.exe" "C:\Program Files\OpenVPN\config\server.ovpn"
    
5. If you get an "Initialization Sequence Completed" - meaning that the server configuration file loaded successfully, then next step is to open another administrative command prompt and ping your OpenVPN server's IP (according to what you specified in the config file) and see if you get a response. In my case the server's IP is 10.10.0.1, so I would enter:
   
   ping 10.10.0.1
   
   You should see something like this:
   
   Pinging 10.10.0.1 with 32 bytes of data:
   Reply from 10.10.0.1: bytes=32 time=24ms TTL=128
   Reply from 10.10.0.1: bytes=32 time=24ms TTL=128
   Reply from 10.10.0.1: bytes=32 time=24ms TTL=128
   Reply from 10.10.0.1: bytes=32 time=25ms TTL=128
   
   If you did, pat yourself on the back for a job well done.
    
6. Recreate your client configuration files using similar methods to create the server configuration file, then launch another administrative command prompt and try and connect to your server. It should work.

I highly suggest using "cipher AES-256-CBC" in both client and server configuration files as this offers the most encryption available, plus it is what's recommended by the openvpn site. The default setting is Blowfish encryption, but is not enough and susceptible to the SWEET32 attack.

I hope that helps.

Additional 1-on-1 Support: From Dennis

If all of this is over your head, or if you need help configuring your OpenVPN server and clients, I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.