search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.41k stars 2.93k forks source link

server.crt has expired, easy way to renew? #1002

Closed kg6uyz closed 2 years ago

kg6uyz commented 2 years ago

My server_xyzblablabla.crt has expired, is there an easy way to renew this, not really finding much out there on this.

dylanjan313 commented 2 years ago

This project uses EasyRSA (from OpenVPN) to manage the PKI. Have a look at EasyRSA's documentation for more information.

You should be able to renew your server certificate this way:

cd /etc/openvpn/easy-rsa
sudo ./easyrsa renew server_xyzblablabla
# or
sudo ./easyrsa renew server_xyzblablabla nopass

It may be necessary to reload / restart the OpenVPN sevice using systemctl.

ketjow123 commented 2 years ago

I had similar issue, tried the command but have an error: "unable to renew as the input file is not a valid certificate unexpected" Cant find the solution

kg6uyz commented 2 years ago

This is what i did, remember to replace server_xyzblablabla with your server_someletternumbercombo.

mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup

mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup

mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup

cd /etc/openvpn/easy-rsa

./easyrsa build-server-full server_xyzblablabla nopass

cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn

cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn
ketjow123 commented 2 years ago

Works. Thanks

niedz., 28 sie 2022 o 20:25 kg6uyz @.***> napisał(a):

This is what i did, remember to replace server_xyzblablabla with your server_someletternumbercombo.

mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup

mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup

mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup

cd /etc/openvpn/easy-rsa

./easyrsa build-server-full server_xyzblablabla nopass

cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn

cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn

— Reply to this email directly, view it on GitHub https://github.com/angristan/openvpn-install/issues/1002#issuecomment-1229525488, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUFHE6SVDILS26VM56CIO63V3OVIRANCNFSM5VW6QITQ . You are receiving this because you commented.Message ID: @.***>

elsabz commented 1 year ago

Hello, I have the same problem that the server certificate has expired. I followed the above procedure and was able to successfully renew the server certificate. I stopped and restarted the openvpn service but unfortunately the clients still can't access. Before I updated the server certificate the client connection failed and the log gave "error certificate expired". Now that I have renewed the server certificate the situation has changed, it no longer occurs "error certificate expired" but an error in the TLS negotiation. If I create a new client this works, the client connects to the server successfully. The problem is that I have about 120 clients scattered throughout the country, these have a valid certificate for over 10 years, I don't want to have to reinstall all of these, it would be a considerable damage. Is there anything I can do to get the server working again without upgrading all clients? Thanks in advance have a nice day.

elsabz commented 1 year ago

I just verified that some clients connect without problems. I don't understand why one of my clients, the one I always used, doesn't work anymore, as I wrote before from a TLS negotiation error. Now I check if the other clients work but it seems to me that everything is fine again except my client, but that would not be a problem... as soon as I have completed the checks I will let you know....

elsabz commented 1 year ago

it seems that only the windows clients don't work anymore, i have to make a new certificate, while the linux clients work.

TinCanTech commented 1 year ago

A better way to renew your server certificate it to use Easy-RSA v3.2.1: Command renew {server_name}

Then, install the renewed certificate into your server config file and remove the expired one.

elsabz commented 1 year ago

@TinCanTech thanks for the reply, at the moment since the linux clients work, I don't feel like doing anything else, the windows clients are manned by humans therefore we restore them without problems...

heapxor commented 1 year ago

is it possible to do this via openssl?

frenzymind commented 1 year ago

Ok, the same issue. My server crt file is expired.

openssl x509 -in ../server_r2cQGmAROejXrflJ.crt -text -noout
            Not Before: Dec 18 03:47:37 2020 GMT
            Not After : Mar 23 03:47:37 2023 GMT

I install newest version of easyras and replace current:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
tar xzvf EasyRSA-3.1.2.tgz
cp ./EasyRSA-3.1.2/easyras /etc/openvpn/easy-rsa/easyrsa

Next I run:

cd /etc/openvpn/easy-rsa
./easyrsa renew  server_r2cQGmAROejXrflJ
./easyrsa revoke-renewed server_r2cQGmAROejXrflJ
./easyrsa gen-crl
cp ./pki/crl.pem ../
cp ./pki/issued/server_r2cQGmAROejXrflJ.crt /etc/openvpn

All operations was executed successully with no errors. Check new cert and this looks good:

root@vpnilim:/etc/openvpn# openssl x509 -in server_r2cQGmAROejXrflJ.crt -text -noout
       Validity
            Not Before: Mar 25 15:01:05 2023 GMT
            Not After : Jun 27 15:01:05 2025 GMT

Restart services:

root@vpnilim:/etc/openvpn# systemctl restart openvpn@server.service
root@vpnilim:/etc/openvpn# systemctl restart openvpn.service

Try to connect from my android phone and see in syslog :

Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS: Initial packet from [AF_INET]80.83.237.115:35587, sid=af6ce164 20f207b8
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS_ERROR: BIO read tls_read_plaintext error
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS Error: TLS object -> incoming plaintext read error
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 TLS Error: TLS handshake failed
Mar 25 23:12:51 vpnilim ovpn-server[1087]: 80.83.237.115:35587 SIGUSR1[soft,tls-error] received, client-instance restarting

What am I do wrong ? May do ypu help me ? @TinCanTech Thanks you!

TinCanTech commented 1 year ago

Check your client config:

tls_process_client_certificate:peer did not return a certificate
frenzymind commented 1 year ago

Check your client config:

Thanks for reply. It seems only my cert become broken. Really interesting. It looks fine. Keys is cutted and dotted by me. What is wrong here? All others cert looks similar.

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_r2cQGmAROejXrflJ name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
setenv CLIENT_CERT 0
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB1...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MI...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e8...
-----END OpenVPN Static key V1-----
</tls-crypt>
TinCanTech commented 9 months ago

Restart services:

root@vpnilim:/etc/openvpn# systemctl restart openvpn@server.service
root@vpnilim:/etc/openvpn# systemctl restart openvpn.service

@frenzymind You may have started the wrong service, you should only use openvpn@server.service

Then check to see which server has started.

getsean commented 6 months ago

This is what i did, remember to replace server_xyzblablabla with your server_someletternumbercombo.

mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup

mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup

mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup

cd /etc/openvpn/easy-rsa

./easyrsa build-server-full server_xyzblablabla nopass

cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn

cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn

I did this and it worked. I have some other servers that used this script. What command can I run to see when my other server cert expire?

mrblond18 commented 1 month ago

This is what i did, remember to replace server_xyzblablabla with your server_someletternumbercombo.

mv /etc/openvpn/easy-rsa/pki/reqs/server_xyzblablabla.req server_xyzblablabla.req.backup

mv /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key server_xyzblablabla.key.backup

mv /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.crt server_xyzblablabla.crt.backup

mv /etc/openvpn/server_xyzblablabla.key server_xyzblablabla.key.backup

cd /etc/openvpn/easy-rsa

./easyrsa build-server-full server_xyzblablabla nopass

cp /etc/openvpn/easy-rsa/pki/issued/server_xyzblablabla.crt /etc/openvpn

cp /etc/openvpn/easy-rsa/pki/private/server_xyzblablabla.key /etc/openvpn

worked, life safer!

dmillerzx commented 2 days ago

I've also run into this issue, didn't realize the server's certificates would expire. I ran the above and 80% of my client reconnected. However, some of the earliest clients I deployed still seem to report.

I suppose the client's certificate expired after resolving the server's certificate? -_-

WARNING: Your certificate has expired!
 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Also can anyone advise how to renew the certificates for 10years?