openvpn-install
openvpn-install copied to clipboard
angristan
server.crt has expired, easy way to renew?
My server_xyzblablabla.crt has expired, is there an easy way to renew this, not really finding much out there on this.
This project uses EasyRSA (from OpenVPN) to manage the PKI. Have a look at EasyRSA's documentation for more information.
You should be able to renew your server certificate this way:
cd /etc/openvpn/easy-rsa
sudo ./easyrsa renew server_xyzblablabla
# or
sudo ./easyrsa renew server_xyzblablabla nopass
It may be necessary to reload / restart the OpenVPN sevice using systemctl.
I had similar issue, tried the command but have an error: "unable to renew as the input file is not a valid certificate unexpected" Cant find the solution
This is what i did, remember to replace server_xyzblablabla with your server_someletternumbercombo.
mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup
mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup
mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup
mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup
mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup
cd /etc/openvpn/easy-rsa
./easyrsa build-server-full server_xyzblablabla nopass
cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn
Works. Thanks
niedz., 28 sie 2022 o 20:25 kg6uyz @.***> napisał(a):
This is what i did, remember to replace server_xyzblablabla with your server_someletternumbercombo.
mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup
mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup
mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup
mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup
mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup
cd /etc/openvpn/easy-rsa
./easyrsa build-server-full server_xyzblablabla nopass
cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn
cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn
— Reply to this email directly, view it on GitHub https://github.com/angristan/openvpn-install/issues/1002#issuecomment-1229525488, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUFHE6SVDILS26VM56CIO63V3OVIRANCNFSM5VW6QITQ . You are receiving this because you commented.Message ID: @.***>
Hello, I have the same problem that the server certificate has expired. I followed the above procedure and was able to successfully renew the server certificate. I stopped and restarted the openvpn service but unfortunately the clients still can't access. Before I updated the server certificate the client connection failed and the log gave "error certificate expired". Now that I have renewed the server certificate the situation has changed, it no longer occurs "error certificate expired" but an error in the TLS negotiation. If I create a new client this works, the client connects to the server successfully. The problem is that I have about 120 clients scattered throughout the country, these have a valid certificate for over 10 years, I don't want to have to reinstall all of these, it would be a considerable damage. Is there anything I can do to get the server working again without upgrading all clients? Thanks in advance have a nice day.
I just verified that some clients connect without problems. I don't understand why one of my clients, the one I always used, doesn't work anymore, as I wrote before from a TLS negotiation error. Now I check if the other clients work but it seems to me that everything is fine again except my client, but that would not be a problem... as soon as I have completed the checks I will let you know....
it seems that only the windows clients don't work anymore, i have to make a new certificate, while the linux clients work.
A better way to renew your server certificate it to use Easy-RSA v3.1.1: Command renew {server_name}
Then, install the renewed certificate into your server config file and remove the expired one.
@TinCanTech thanks for the reply, at the moment since the linux clients work, I don't feel like doing anything else, the windows clients are manned by humans therefore we restore them without problems...
Ok, the same issue. My server crt file is expired.
openssl x509 -in ../server_r2cQGmAROejXrflJ.crt -text -noout
Not Before: Dec 18 03:47:37 2020 GMT
Not After : Mar 23 03:47:37 2023 GMT
I install newest version of easyras and replace current:
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
tar xzvf EasyRSA-3.1.2.tgz
cp ./EasyRSA-3.1.2/easyras /etc/openvpn/easy-rsa/easyrsa
Next I run:
cd /etc/openvpn/easy-rsa
./easyrsa renew server_r2cQGmAROejXrflJ
./easyrsa revoke-renewed server_r2cQGmAROejXrflJ
./easyrsa gen-crl
cp ./pki/crl.pem ../
cp ./pki/issued/server_r2cQGmAROejXrflJ.crt /etc/openvpn
All operations was executed successully with no errors. Check new cert and this looks good:
root@vpnilim:/etc/openvpn# openssl x509 -in server_r2cQGmAROejXrflJ.crt -text -noout
Validity
Not Before: Mar 25 15:01:05 2023 GMT
Not After : Jun 27 15:01:05 2025 GMT
Restart services:
root@vpnilim:/etc/openvpn# systemctl restart [email protected]
root@vpnilim:/etc/openvpn# systemctl restart openvpn.service
Try to connect from my android phone and see in syslog :
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS: Initial packet from [AF_INET]80.83.237.115:35587, sid=af6ce164 20f207b8
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS_ERROR: BIO read tls_read_plaintext error
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS Error: TLS object -> incoming plaintext read error
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS Error: TLS handshake failed
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 SIGUSR1[soft,tls-error] received, client-instance restarting
What am I do wrong ? May do ypu help me ? @TinCanTech Thanks you!
Check your client config:
tls_process_client_certificate:peer did not return a certificate
Check your client config:
Thanks for reply. It seems only my cert become broken. Really interesting. It looks fine. Keys is cutted and dotted by me. What is wrong here? All others cert looks similar.
client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_r2cQGmAROejXrflJ name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
setenv CLIENT_CERT 0
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB1...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MI...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e8...
-----END OpenVPN Static key V1-----
</tls-crypt>
Restart services:
root@vpnilim:/etc/openvpn# systemctl restart [email protected] root@vpnilim:/etc/openvpn# systemctl restart openvpn.service
@frenzymind You may have started the wrong service, you should only use [email protected]
Then check to see which server has started.
This is what i did, remember to replace
server_xyzblablablawith yourserver_someletternumbercombo.mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup cd /etc/openvpn/easy-rsa ./easyrsa build-server-full server_xyzblablabla nopass cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn
I did this and it worked. I have some other servers that used this script. What command can I run to see when my other server cert expire?
