Re: What to do if VPN connection is broken in Fedora 43

[Tom Hughes via devel]

Yes if you use capath= instead of ca=.

Tom

On 19/08/2025 08:42, Dmitry Belyavskiy wrote:

Does OpenVPN support CADir format?

On Mon, Aug 18, 2025 at 6:32 PM Michael Catanzaro <mcatanz...@redhat.com <mailto:mcatanz...@redhat.com>> wrote:

    Hi, after upgrading to Fedora 43 I noticed my OpenVPN connection was
    broken due to
    https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile
    <https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile>

    I see in my journal:

    nm-openvpn[32218]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
    missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305).
    OpenVPN ignores --cipher for cipher negotiations.
    nm-openvpn[32218]: Options error: --ca fails with
    '/etc/pki/tls/certs/ca-bundle.crt': No such file or directory (errno=2)
    nm-openvpn[32218]: Options error: Please correct these errors.
    nm-openvpn[32218]: Use --help for more information.

    I searched NetworkManager-openvpn, NetworkManager, and OpenVPN upstream
    git repos and Fedora spec files and couldn't find any references to
    ca-bundle.crt in any of them. Then eventually I found it specified
    under my VPN configuration that's installed into
    /etc/NetworkManager/system-connections:

    [vpn]
    ca=/etc/pki/tls/certs/ca-bundle.crt

    Workaround is to just change the file path:

    [vpn]
    ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

    And that worked.

    (Next I thought "why allow all trusted certificates?" and wound up
    selecting the particular root certificate that I expect my server
    certificate to be signed by, which also worked. Nice when things work.)

    Michael

-- _______________________________________________

    devel mailing list -- devel@lists.fedoraproject.org
    <mailto:devel@lists.fedoraproject.org>
    To unsubscribe send an email to devel-le...@lists.fedoraproject.org
    <mailto:devel-le...@lists.fedoraproject.org>
    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/
    project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/
    project/code-of-conduct/>
    List Guidelines: https://fedoraproject.org/wiki/
    Mailing_list_guidelines <https://fedoraproject.org/wiki/
    Mailing_list_guidelines>
    List Archives: https://lists.fedoraproject.org/archives/list/
    devel@lists.fedoraproject.org <https://lists.fedoraproject.org/
    archives/list/devel@lists.fedoraproject.org>
    Do not reply to spam, report it: https://pagure.io/fedora-
    infrastructure/new_issue <https://pagure.io/fedora-infrastructure/
    new_issue>



--
Dmitry Belyavskiy

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue