Cyberghost - The CA certificate is missing!

Ask Fedora
1

In 2023 I installed Cyberghost VPN on my desktop for FC36, and I could run it successfully, also after an update to FC37, there was no problem to run it.
From FC38 until now FC42 I could not run Cyberghost, I received:

~$ sudo cyberghostvpn --country-code BE --connect
Prepare OpenVPN connection ...
Select server ... brussels-s413-i09
Connecting ... 
The "CA" certificate is missing!
Downloading configuration ...

Looking what is installed:

~/Downloads/cyberghost$ ls
cyberghost  install.sh
gastonv@localhost:~/Downloads/cyberghost$ cd cyberghost/
gastonv@localhost:~/Downloads/cyberghost/cyberghost$ ls
cghost_BE2.ovpn                        passwd-file
changelog                              pw-file
cyberghostvpn                          readME.txt
manual_openvpn_connection_openvpn      uninstall.sh
manual_openvpn_connection_openvpn.zip  update-systemd-resolved
$ ls -l manual_openvpn_connection_openvpn
totaal 16
-rw-rw-r--. 1 gastonv gastonv 2300  7 aug  2024 ca.crt
-rw-rw-r--. 1 gastonv gastonv 2362  7 aug  2024 client.crt
-rw-rw-r--. 1 gastonv gastonv 3268  7 aug  2024 client.key
-rw-rw-r--. 1 gastonv gastonv  361  7 aug  2024 openvpn.ovpn

Then I have search for more ca.crt files:

$ locate ca.crt
/etc/openvpn/ca.crt > dated 5/5/2023
/etc/pki/ca-trust/source/anchors/ca.crt dated > 15/5/2025
/home/gastonv/Downloads/cyberghost/cyberghost/  manual_openvpn_connection_openvpn/ca.crt
/usr/local/cyberghost/manual_openvpn_connection_openvpn/ca.crt > 21/5/2025

I can run Cyberhost on my tablet and my smartphone, but I like to run it on my desktop computer, where I run Fedora.
Waiting for each hint, many thanks in advance for each answer.
Kind regards,
Gaston Verhulst.

2

Are you sure the ca.crt in /etc/pki/ca-trust/source/anchors is the same one from your application? You might need to re-copy that file and re-run update-ca-trust. I would suggest giving the file a more unique name in the destination to be sure it doesn’t get overwritten by some other application that you might install in the future.

Edit: You might also want to inspect the certificate to be sure it hasn’t expired. I like to use the following command to examine my certificates.

$ openssl x509 -in /etc/pki/ca-trust/source/anchors/ca.crt -noout -text
1 Like
3

Thank You for Your prompt reply.
I have checked if the both ca.crt files are the same.

$ ls -l Downloads/cyberghost/cyberghost/manual_openvpn_connection_openvpn/*.crt
-rw-rw-r--. 1 gastonv gastonv 2300  7 aug  2024 Downloads/cyberghost/cyberghost/
manual_openvpn_connection_openvpn/ca.crt
-rw-rw-r--. 1 gastonv gastonv 2362  7 aug  2024 Downloads/cyberghost/cyberghost/
manual_openvpn_connection_openvpn/client.crt

$ ls -l  /etc/pki/ca-trust/source/anchors/*.crt
-rw-r--r--. 1 root root 2300 15 mei  2023 /etc/pki/ca-trust/source/anchors/ca.crt
-rw-r--r--. 1 root root 2362 15 mei  2023 /etc/pki/ca-trust/source/
anchors/client.crt

$ diff Downloads/cyberghost/cyberghost/manual_openvpn_connection_openvpn/ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
$

Both files are the same, there are no differences.
I also have done it for client.crt, but they are different.

Please, what do you main with re-copy and rerun update?
Because I have never done it before, sorry.

I also have inspected the certificate, but I cannot judge the result, because also, I have never done this before, but this is the result:

$ openssl x509 -in /etc/pki/ca-trust/source/anchors/ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9c:54:1b:ad:66:c4:34:bb
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
        Validity
            Not Before: Jun 19 08:17:25 2017 GMT
            Not After : Jun 14 08:17:25 2037 GMT
        Subject: C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ec:ef:3e:9a:38:b6:16:54:21:25:79:ff:1b:85: ...
                    f3:d0:e1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                EA:D7:4A:D6:0F:C7:7B:9A:B3:8D:E0:28:33:97:87:B7:88:A7:F6:25
            X509v3 Authority Key Identifier: 
                keyid:EA:D7:4A:D6:0F:C7:7B:9A:B3:8D:E0:28:33:97:87:B7:88:A7:F6:25
                DirName:/C=RO/L=Bucharest/O=CyberGhost S.A./CN=CyberGhost Root CA/emailAddress=info@cyberghost.ro
                serial:9C:54:1B:AD:66:C4:34:BB
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:
        cd:c9:0f:76:92:3e:2a:88:d8:e7:1e:4f:7d:aa:f9:c5:c3:da: ...
        03:78:44:73:f1:44:e1:7b
$

Many thanks in advance for each answer.
Kind regards,
Gaston Verhulst.

4

cyberghostvpn installer isn’t publicly available, correct? (Even tough it seems using OpenVPN under the hood).
It would be interesting to know where such executable is looking for such CA certificate.

1 Like
5

OpenVPN based clients typically do not use system trust certs.

You should try importing this config to NetworkManager.

2 Likes
6

In Fedora General Settings > Network I see:

Cable
Bluetooth
VPN >> is empty.
Proxy

So, I suppose I have to put cghost.BE2.ovpn in it.
When I put it in, I receive an errormessage (translated):

...
Fault: key file contains line 'client', this is not a key value, group or remark.

$ cat Downloads/cyberghost/cyberghost/cghost_BE2.ovpn
client
remote 87-1-be.cg-dialup.net 443
dev tun 
proto udp
auth-user-pass pw-file

resolv-retry infinite 
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC

auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
emote-cert-tls server
route-delay 5
verb 4

ca ca.crt

cert client.crt

key client.key

Here ‘client’ is the first word.
When I comment out this word, then the second word is a fault, etcetera until the end.
So, I think I have to import cghost_BE2.ovpn in another NetworkManager?
Again many thanks in advance for each reply.
Gaston Verhulst.

7

To make the CyberGhost client work, move the certs and key near the VPN config, so they should be in the same directory.

As an alternative, you can try to import the VPN config to NetworkManager.

8

Please, is it this what You means, I have copied the files in the main directory:

gastonv@localhost:~$ cd Downloads/cyberghost/cyberghost/
gastonv@localhost:~/Downloads/cyberghost/cyberghost$ ls
cghost_BE2.ovpn                        passwd-file
changelog                              pw-file
cyberghostvpn                          readME.txt
manual_openvpn_connection_openvpn      uninstall.sh
manual_openvpn_connection_openvpn.zip  update-systemd-resolved
gastonv@localhost:~/Downloads/cyberghost/cyberghost$ ls manual_openvpn_connection_openvpn
ca.crt  client.crt  client.key  openvpn.ovpn
gastonv@localhost:~/Downloads/cyberghost/cyberghost$ cp manual_openvpn_connection_openvpn/*.* ~/Downloads/cyberghost/cyberghost
gastonv@localhost:~/Downloads/cyberghost/cyberghost$ ls
ca.crt           cyberghostvpn                          pw-file
cghost_BE2.ovpn  manual_openvpn_connection_openvpn      readME.txt
changelog        manual_openvpn_connection_openvpn.zip  uninstall.sh
client.crt       openvpn.ovpn                           update-systemd-resolved
client.key       passwd-file

Awaiting if I have done it right?
Kind regards.

1 Like
9

With the copied files in the directory, it doesn’t run.
I think, perhaps I made a fault?

$ cd Downloads/cyberghost/cyberghost/
gastonv@localhost:~/Downloads/cyberghost/cyberghost$ sudo cyberghostvpn --country-code BE --connect
[sudo] wachtwoord voor gastonv: 
Prepare OpenVPN connection ...
Select server ... brussels-s421-i12
Connecting ... 
The "CA" certificate is missing!
Downloading configuration ...