Description of problem:
OpenSSL was patched in F21 to disallow verification of certificates that are signed with MD5 algorithm. Certificates signed with MD5 algorithm are not present on public https web sites anymore but they can be still in use on private networks or used for authentication on openvpn based VPNs such as in bug 1157260. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.
I've tried to apply the environment variable workaround for NetworkManager, but it does not work for me.
In a virtual machine with F20 I updated the F20 openssl-1.0.1e-40.fc20 to openssl-1.0.1e-40.fc21. After the update I get the error as expected. But after adding "Environment="OPENSSL_ENABLE_MD5_VERIFY=1" to /usr/lib/systemd/system/NetworkManager.service the openvpn connection started to work.
The same change under F21 does not help, I still get the error.
I don't know if it is a NetworkManager or systemd issue, or something else.
See also bug #1157260.
Some additional info:
In a terminal, after setting the above environment variable (export OPENSSL_ENABLE_MD5_VERIFY=1) starting openvpn directly (openvpn --config myconfig) seems to accept the certificate. If I start it with systemctl (systemctl start openvpn@myconfig) I get the error message and doesn't connect.
Finally I managed to get it work. I don't really know what the problem was. I reconfigured NetworkManager and friends, and in the meantime I applied F21 updates... So, adding 'Environment="OPENSSL_ENABLE_MD5_VERIFY=1"' to /usr/lib/systemd/system/NetworkManager.service allows the connection for NetworkManager.
Thus the bug can be closed I think.
Zoltan, it would be great to know what fixed it for you, since it doesn't work for me on two different machines. The difference in my case was I copied the /usr/lib... file to /etc/systemd/system and modified it instead. I can see the variable gets set to network manager and openvpn, but it won't work.
and btw, adding it on command line does the trick. So the gui startup of openvpn tunnel via network-manager won't work, to be more precise.