VPN Errors on Upgrade to Ubuntu 22.04 LTS

I recently upgraded my home desktop from 20.04 LTS to 22.04 LTS, in anticipation of rolling out similar updates at work and on my home server. As upgrades go, this went down reasonably well, with the main inconvenience being Ubuntu’s insistence with snap, and its recent migration of Firefox from a regular package to a snap release. (For reasons I’ll go into another time, I cannot use snaps, because they don’t really work on anything other than a conventional home-directory setup.)

One issue that cropped up today, however, is that due to changes in the network manager (or the underlying OpenSSL, I’m not entirely sure), my VPN connection to work stopped working. The cause is very simple: the certificates with which I authenticate myself to the server are signed with a deprecated message digest algorithm (SHA1). To diagnose this I observed the system logs (at /var/log/syslog), finding the following (sanitised) messages from the OpenVPN service:

nm-openvpn[]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
nm-openvpn[]: Cannot load certificate file /...

The first line indicates that the problem is due to the MD algorithm being deprecated, which results in a failure to load the certificate (second message).

The ideal solution would involve our IT services re-issuing our certificates with more up-to-date algorithms. I have advised them accordingly, of course, but this is beyond my control. So until that happens, I needed a stopgap solution. The only option here is to lower the bar at my end, and force the network manager to allow the use of the certs I have. I hunted around a bit to figure this out, which is why I thought it would be useful to write this down.

The change can be done on a per-connection basis, which is good. It involved editing the configuration file for the specific VPN connection; in Ubuntu these are stored under /etc/NetworkManager/system-connections, with a filename being the same as the name of the connection in the Network Manager’s GUI. Edit this file with super-user privileges (e.g. sudo vi ...), and under the [vpn] section add a line (I did this at the top of the section) as follows:

tls-cipher=DEFAULT:@SECLEVEL=0

Next, restart the network manager service with:

systemctl restart NetworkManager

At this point, the connection should work again.

Advertisement

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.