OpenVPN / OpenConnect "certificate has expired" bug

[cpu]

If you provisioned a server with Streisand between Oct 18th and Nov 23rd your OpenVPN and OCServ (OpenConnect) Root Certificate Authorities will expire 30 days after creation instead of 5 years. This bug only affected the root CA certificates

This was due to a bug that has since been fixed. Affected servers will need to be recreated using a fresh clone of Streisand (commit https://github.com/StreisandEffect/streisand/commit/7f51e8381e62bbe652095788c817fcd217b6d4fa or newer).

You can test if your Streisand server is affected by running the following two commands as root while logged in to the server:

1. echo -n "OpenVPN is"; openssl x509 -in /etc/openvpn/ca.crt -noout -enddate | grep -q "2017" && echo " affected" || echo " not affected"
2. echo -n "OpenConnect/OCServ is"; openssl x509 -in /etc/ocserv/ca.crt -noout -enddate | grep -q "2017" && echo " affected" || echo " not affected"

We apologize for the inconvenience.

[thanhtrdang]

My VPN server is affected. I have got questions for my case:

1. Digital Ocean, Ubuntu 16.04.3 x64
2. My only one requirement is keep my static IP
3. I have got full control of this VPN server
4. I have got 1 my macbook + 1 iphone that connect to this VPN.

So,

1. If I recreate or override using a fresh clone of Streisand, then can I still keep my static IP? And how can I do it?
2. If I reconfig: How can I do it for VPN server, and my macbook, and my iphone? I understand that: In VPN server I just remove /etc/openvpn/ca.crt and recreate it, then remove old CA from macbook and iphone, then apply new one. Is it right?

I really appreciate your support.

Big thanks, Thanh.

[alimakki]

Hi @thanhtrdang,

I'm really sorry to hear that you've been affected by this.

There might be a way to preserve you IP address by way of rebuilding the image.

You would have to visit the destroy page for the droplet, but instead of hitting the destroy button, you can rebuild the droplet from an image:

Once you have your base image (which is basically a fresh server), you can re-run the streisand script using the "existing server" as an option, and feed in your droplet's IP address.

You can regenerate the CAs, but then you will need newly signed client certificates, and re-provision them to your devices. It's manual work, and likely prone to errors. The easiest course of action would be to run the stresiand script (after pulling the latest version).

Again, terribly sorry for the inconvenience.

[thanhtrdang]

Hi @alimakki, I followed your suggestion and it worked perfectly. Thank you so much for your great support (y).

[cpu]

@Armored-Dragon The "OCServ" in the issue title refers to OpenConnect. I'll make that clearer, thanks!

It shouldn't affect ShadowSocks - That doesn't use a PKI at all. Can you open a new issue for your ShadowSocks problem? With more information we can try and figure that out.

[cpu]

@Armored-Dragon SSH, as well as ShadowSocks should be unaffected by this bug. If you run into this problem again with a new instance please open a new issue. Thanks!