Job for openvpn@server.service failed because the control process exited with error code

April 30, 2017 19.2k views
VPN CentOS
christiangelosulit
By:
christiangelosulit

Apr 30 07:02:09 centos-512mb-sgp2.db-01 systemd[1]: Starting OpenVPN Robust And Highly Flexible T......
Apr 30 07:02:09 centos-512mb-sgp2.db-01 openvpn[10300]: Sun Apr 30 07:02:09 2017 WARNING: cannot s...2)
Apr 30 07:02:09 centos-512mb-sgp2.db-01 openvpn[10300]: Options error: --tls-auth fails with 'ta.k...ry
Apr 30 07:02:09 centos-512mb-sgp2.db-01 openvpn[10300]: Options error: Please correct these errors.
Apr 30 07:02:09 centos-512mb-sgp2.db-01 openvpn[10300]: Use --help for more information.
Apr 30 07:02:09 centos-512mb-sgp2.db-01 systemd[1]: openvpn@server.service: main process exited, ...URE
Apr 30 07:02:09 centos-512mb-sgp2.db-01 systemd[1]: Failed to start OpenVPN Robust And Highly Fle...er.
Apr 30 07:02:09 centos-512mb-sgp2.db-01 systemd[1]: Unit openvpn@server.service entered failed state.
Apr 30 07:02:09 centos-512mb-sgp2.db-01 systemd[1]: openvpn@server.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

1 comment
  • ddommar June 29, 2018

    I have the same issue "Job for openvpn@server.service failed because the control process exited with error code" and I haven't been able to solve it. I've re-installed the openvpn and easy-rsa many times without success. Please some of you may help me??

Log In to Comment
7 Answers
hansen April 30, 2017
Accepted Answer

@christiangelosulit Can you run the command again with -l as parameter to show full lines (like it says in the bottom).

Reply
  • christiangelosulit April 30, 2017

    openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Applicat ion On server
    Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor pre set: disabled)
    Active: failed (Result: exit-code) since Sun 2017-04-30 08:12:09 UTC; 8h ago
    Process: 10641 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)
    Main PID: 10641 (code=exited, status=1/FAILURE)

    Apr 30 08:12:08 centos-512mb-sgp2.db-01 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
    Apr 30 08:12:09 centos-512mb-sgp2.db-01 systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
    Apr 30 08:12:09 centos-512mb-sgp2.db-01 systemd[1]: Failed to start OpenVPN Robu st And Highly Flexible Tunneling Application On server.
    Apr 30 08:12:09 centos-512mb-sgp2.db-01 systemd[1]: Unit openvpn@server.service entered failed state.
    Apr 30 08:12:09 centos-512mb-sgp2.db-01 systemd[1]: openvpn@server.service faile d.

  • christiangelosulit April 30, 2017

    Thank you for your time :)

    • hansen April 30, 2017

      Hi @christiangelosulit Did you solve the problem? Unsure, since you accepted the answer, but still posted a log of failure.

      • christiangelosulit April 30, 2017

        sorry i am new to digitalocean i have no idea what is "mark as accepted" no the problem still occurs

      • christiangelosulit April 30, 2017

        Apr 30 16:58:30 centos-512mb-sgp2.db-01 sshd[2260]: Failed password for root from 116.31.116.36 port 44493 ssh2
        Apr 30 16:58:30 centos-512mb-sgp2.db-01 sshd[2260]: Received disconnect from 116.31.116.36: 11: [preauth]
        Apr 30 16:58:30 centos-512mb-sgp2.db-01 sshd[2260]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
        Apr 30 16:59:08 centos-512mb-sgp2.db-01 sshd[2262]: pamunix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ss
        Apr 30 16:59:08 centos-512mb-sgp2.db-01 sshd[2262]: pam        succeedif(sshd:auth): requirement "uid >= 1000" not met by user "roo
        Apr 30 16:59:10 centos-512mb-sgp2.db-01 sshd[2262]: Failed password for root from 59.45.175.35 port 38347 ssh2
        Apr 30 16:59:10 centos-512mb-sgp2.db-01 sshd[2262]: pam        succeedif(sshd:auth): requirement "uid >= 1000" not met by user "roo
        Apr 30 16:59:12 centos-512mb-sgp2.db-01 sshd[2262]: Failed password for root from 59.45.175.35 port 38347 ssh2
        Apr 30 16:59:12 centos-512mb-sgp2.db-01 sshd[2262]: pam        succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "roo
        Apr 30 16:59:15 centos-512mb-sgp2.db-01 sshd[2262]: Failed password for root from 59.45.175.35 port 38347 ssh2
        Apr 30 16:59:17 centos-512mb-sgp2.db-01 sshd[2262]: Received disconnect from 59.45.175.35: 11: [preauth]
        Apr 30 16:59:17 centos-512mb-sgp2.db-01 sshd[2262]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
        Apr 30 16:59:24 centos-512mb-sgp2.db-01 sshd[2264]: Received disconnect from 59.45.175.88: 11: [preauth]
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 polkitd[454]: Registered Authentication Agent for unix-process:2266:59184 (system bus
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On serv
        -- Subject: Unit openvpn@server.conf.service has begun start-up
        -- Defined-By: systemd

        -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

        -- Unit openvpn@server.conf.service has begun starting up.
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 openvpn[2272]: Options error: In [CMD-LINE]:1: Error opening configuration file: serv
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 openvpn[2272]: Use --help for more information.
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 systemd[1]: openvpn@server.conf.service: main process exited, code=exited, status=1/F
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application
        -- Subject: Unit openvpn@server.conf.service has failed
        -- Defined-By: systemd

        -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Unit openvpn@server.conf.service has failed.

        -- The result is failed.
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 systemd[1]: Unit openvpn@server.conf.service entered failed state.
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 systemd[1]: openvpn@server.conf.service failed.
        Apr 30 16:59:37 centos-512mb-sgp2.db-01 polkitd[454]: Unregistered Authentication Agent for unix-process:2266:59184 (system b
        Apr 30 16:59:41 centos-512mb-sgp2.db-01 sshd[2277]: pamunix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ss
        Apr 30 16:59:41 centos-512mb-sgp2.db-01 sshd[2277]: pam        succeedif(sshd:auth): requirement "uid >= 1000" not met by user "roo
        Apr 30 16:59:43 centos-512mb-sgp2.db-01 sshd[2277]: Failed password for root from 116.31.116.36 port 48057 ssh2
        Apr 30 16:59:44 centos-512mb-sgp2.db-01 sshd[2277]: pam        succeedif(sshd:auth): requirement "uid >= 1000" not met by user "roo
        Apr 30 16:59:46 centos-512mb-sgp2.db-01 sshd[2277]: Failed password for root from 116.31.116.36 port 48057 ssh2
        Apr 30 16:59:46 centos-512mb-sgp2.db-01 sshd[2277]: pam        succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "roo
        Apr 30 16:59:48 centos-512mb-sgp2.db-01 sshd[2277]: Failed password for root from 116.31.116.36 port 48057 ssh2
        Apr 30 16:59:48 centos-512mb-sgp2.db-01 sshd[2277]: Received disconnect from 116.31.116.36: 11: [preauth]
        Apr 30 16:59:48 centos-512mb-sgp2.db-01 sshd[2277]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
        l

hansen April 30, 2017

@christiangelosulit
Okay, we need to see more logging because it seems like it just gives a short status.
Make sure your OpenVPN configuration file has the log-append parameter.

log-append /var/log/openvpn.log

Then try to start OpenVPN again and now we should have more logging available in /var/log/openvpn.log

Reply
  • christiangelosulit April 30, 2017

    -bash: log-append: command not found
    it is not working

    • hansen April 30, 2017

      You need to add that to your openvpn configuration. It's not a command you can run.

      The long log you just posted above says the following error, which is your root cause of the failure:

      • Apr 30 16:59:37 centos-512mb-sgp2.db-01 openvpn[2272]: Options error: In [CMD-LINE]:1: Error opening configuration file: serv*
      • christiangelosulit April 30, 2017

        ohh sorry sorry

        i have that in my conf file

        enable log

        log-append /var/log/myvpn/openvpn.log

        • hansen April 30, 2017

          @christiangelosulit
          Okay, then go and have a look in /var/log/myvpn/openvpn.log and see if you can find the cause of the error. Otherwise post the last 30-50 lines here.

          • christiangelosulit April 30, 2017

            errors are all identical

            Sun Apr 30 16:54:07 2017 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
            Options error: --tls-auth fails with 'ta.key': No such file or directory
            Options error: Please correct these errors.
            Use --help for more information.

  • christiangelosulit April 30, 2017

    [root@centos-512mb-sgp2 ~]# log-append /var/log/myvpn/openvpn.log
    -bash: log-append: command not found
    [root@centos-512mb-sgp2 ~]# cd /var/log/myvpn
    [root@centos-512mb-sgp2 myvpn]# ls
    openvpn.log
    [root@centos-512mb-sgp2 myvpn]# log-append openvpn.log
    -bash: log-append: command not found
    [root@centos-512mb-sgp2 myvpn]#

hansen April 30, 2017

@christiangelosulit
Okay, if it says Sun Apr 30 16:54:07 2017 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2) then it's because the file does not exist.
You need to point to the correct file containing the key.

Reply
  • christiangelosulit April 30, 2017

    i cant find that key sorry i am new to vpn can you teach me how to make or find that file?

    • hansen April 30, 2017

      I don't know what file it is supposed to be.

      You should either use the one-click-app to install an OpenVPN instance or read through the tutorial:
      https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7

      • christiangelosulit April 30, 2017

        that tutorial is what i read and work with my server

        • hansen April 30, 2017

          Okay, but at some point you didn't follow the tutorial exactly. My guess would be that your ta.key is the one called server.key in the tutorial.

          • christiangelosulit April 30, 2017

            Sun Apr 30 17:44:50 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PK$
            Sun Apr 30 17:44:50 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
            Sun Apr 30 17:44:50 2017 Diffie-Hellman initialized with 2048 bit key
            Sun Apr 30 17:44:50 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
            Sun Apr 30 17:44:50 2017 ECDH curve secp384r1 added
            Sun Apr 30 17:44:50 2017 Insufficient key material or header text not found in file 'server.key' (0/128/256 bytes found/min/$
            Sun Apr 30 17:44:50 2017 Exiting due to fatal error
            Sun Apr 30 17:45:41 2017 OpenVPN 2.4.1 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PK$
            Sun Apr 30 17:45:41 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
            Sun Apr 30 17:45:41 2017 Diffie-Hellman initialized with 2048 bit key
            Sun Apr 30 17:45:41 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
            Sun Apr 30 17:45:41 2017 ECDH curve secp384r1 added
            Sun Apr 30 17:45:41 2017 Insufficient key material or header text not found in file 'server.key' (0/128/256 bytes found/min/$
            Sun Apr 30 17:45:41 2017 Exiting due to fatal error

      • christiangelosulit April 30, 2017

        i follow all of the instruction there but i always get the same error message when i try to start openvpn@server.service

        • arcanevibe July 19, 2018

          So admittedly this was a little over a year ago, but for anyone else stuck here I thought I'd add my scenario.

          I have some 5 different clients I am setting up. I had generated a .key/.crt for each of them, and had mistakenly put the client one for my pc in the server.conf file where, I was supposed to have put the one for the D.O. server on which the openVpn service was actually running.

          After replacing my client cert name with my custom server cert name, the service lifted right off the ground without further issue.

hansen April 30, 2017

@christiangelosulit You need to follow the tutorial from the beginning again or use the one-click-app where everything is already configured.

Reply
  • christiangelosulit April 30, 2017

    where is the one-click-app?

    • hansen April 30, 2017

      It seems like DigitalOcean has removed the OpenVPN one-click-app, which you can select when creating a new droplet.

      I would recommend that you follow the tutorial from the beginning and only change the things that are needed. Leave everything else like the tutorial writes it, then you won't have any problems.

      • christiangelosulit May 2, 2017

        problem solve thank you so much!

        • bdspice May 11, 2017

          Can you Describe here how your problem was solved? As i am also follow that tut and face same problem, tried everything as described and commented,googled and nothing is worked. It will be helpful to othere if you described the error and how fixed it

shadynagi May 18, 2017 
#openvpn --genkey --secret ta.key

and make this file like this
/etc/openvpn/ta.key

Reply
jeffreystarin July 16, 2017

This is a very faulty tutorial - there is absolutely NO REFERENCE to generating or inserting a ta.key in the tutorial. I don't know how digital ocean vets the crowd-sourced tutorials but there are many of them that are not accurate.

Trying to make heads or tails of shadynagi's advice also doesn't work.

I generated a secret ta.key in the /etc/openvpn directory and still errors. Are there supposed to be references in the server.conf to BOTH a server.key and ta.key or just or the other.

C'mon digital ocean, step in and clear this up please.

Thank you.

Reply
angeldsphinx July 22, 2017
Reply
Have another answer? Share your knowledge.

Related Questions