Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Address Duo Certificate Authority Bundle Expiration

  • Updated

Overview

Duo has announced changes to the certificate authority bundle that affect several integrations, including the Duo Post-Auth Script for Access Server (duo_openvpn_as).

If your Access Server is running a Duo Post-Auth Script version below the "Minimum Update Version", you must upgrade to avoid impact on user access and authentication.

Step 1: Identify whether your Access Server is affected

The minimum update version for the Duo Post-Auth Script is 2.7.

  • If your Access Server is running Duo Post-Auth Script version 2.7 or later, no action is required.

  • If your Access Server is running a Duo Post-Auth Script version earlier than 2.7, upgrade the Duo Post-Auth Script as described in Step 2. When running an affected version, you may encounter errors like the one below in Access Server logs:

    VPN Auth Failed: 'Exception caught in auth: Received 403 Client duo_openvpn_as version 2.5 is deprecated and no longer supported. Please upgrade to the latest supported version.' ['Unknown error communicating with Duo service']

To check the installed Duo Post-Auth Script version:

  1. Connect to your console and get root privileges.

  2. Change to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Run:

    ./sacli configquery | grep -oP "__version__\s*=\s*'[^']+'"

Example output:

root@jose-openvpnas:/usr/local/openvpn_as/scripts# ./sacli configquery | grep -oP "__version__\s*=\s*'[^']+'" 
__version__ = '2.8'

In this example, the installed Duo script version is 2.8, so no further action is needed. 

Step 2: Upgrade the Duo Post-Auth Script version (if required)

If the version identified in Step 1 is earlier than 2.7, complete the following steps to upgrade:

  1. Connect to your Access Server console and get root privileges.

  2. Remove the Duo setup and restart the service

    cd /usr/local/openvpn_as/scripts/
./sacli --key "auth.module.post_auth_script" ConfigDel
./sacli start

  3. Remove the Duo Post-Authentication script:

    rm /usr/local/openvpn_as/scripts/duo_openvpn_as.py
  4. Download the latest version of the Duo OpenVPN Access Server package from the duo_openvpn_as GitHub repository.
  5. Extract the Duo OpenVPN Access Server package.
  6. Open the duo_openvpn_as.py script with a text editor.

  7. Find the section where you fill in your integration credentials and enter your integration key, secret key, and API hostname:

    # Fill in your integration credentials on the following three lines:
IKEY = 'DUO_INTEGRATION_KEY_HERE'
SKEY = 'DUO_INTEGRATION_SECRET_KEY_HERE'
HOST = 'DUO_API_HOSTNAME_HERE'
  8. Move or upload the duo_openvpn_as.py script to the Access Server scripts folder (/usr/local/openvpn_as/scripts/) on your server.

  9. Load the script and restart the Access Server service:

    ./sacli --key "auth.module.post_auth_script" --value_file="/usr/local/openvpn_as/scripts/duo_openvpn_as.py" ConfigPut
./sacli start
  10. Test your setup by signing in as a VPN user.

If you have additional questions or encounter issues, submit a support ticket.

Comments

0 comments

Please sign in to leave a comment.