PIA certificate "doesn't have a known issuer"

astersasters
edited May 2020 in Linux VPN Setup
Hi,
I'm trying to set up PIA VPN using OpenVPN on Raspberry PI. I keep getting this TLS error:

sudo openvpn --config /etc/openvpn/Norway.conf
Fri May  1 16:21:44 2020 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Fri May  1 16:21:44 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Fri May  1 16:21:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]146.112.61.106:1198
Fri May  1 16:21:45 2020 UDP link local: (not bound)
Fri May  1 16:21:45 2020 UDP link remote: [AF_INET]146.112.61.106:1198
Fri May  1 16:22:45 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May  1 16:22:45 2020 TLS Error: TLS handshake failed
I spent the whole day on eliminating all the possible problems: it's not the firewall, it's not the router, the port is forwarded, it's not the login credentials, I tried a clean version of Raspbian Buster...

I finally stumbled on the fact that I can't establish an encrypted connection with the PIA server at all:
wget https://privateinternetaccess.com/
--2020-05-01 17:05:59--  https://privateinternetaccess.com/
Resolving privateinternetaccess.com (privateinternetaccess.com)... 146.112.61.106, ::ffff:146.112.61.106
Connecting to privateinternetaccess.com (privateinternetaccess.com)|146.112.61.106|:443... connected.
ERROR: The certificate of 'privateinternetaccess.com' is not trusted.
ERROR: The certificate of 'privateinternetaccess.com' doesn't have a known issuer.
I already updated the certificates and checked the system date, everything's fine:
date
Fri May  1 17:06:12 BST 2020
I even copied the certificates over from another Linux machine where I don't get this error, but it still doesn't work. So there must be some other reason.

I would really appreciate getting some help with this, the sun is already setting and I've been at it since morning... Thank you!

Comments

  • astersasters
    I'd like to add that connecting to some other URLs works fine, for example:
    wget https://startpage.com
--2020-05-01 17:30:48--  https://startpage.com/
Resolving startpage.com (startpage.com)... 145.131.132.92
Connecting to startpage.com (startpage.com)|145.131.132.92|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11618 (11K) [text/html]
Saving to: 'index.html.2'
  • astersasters
    Ok, I figured it out. My router was using OpenDNS with the family shield, and OpenDNS has a problem with the Cisco Umbrella certificates. I switched to a different DNS and things are working now. 
Sign In or Register to comment.