search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.69k stars 2.98k forks source link

for what period server crt creates by the script ? #1163

Open emoxam opened 1 year ago

emoxam commented 1 year ago

for what period server crt creates by the script ?

I see strings ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl inside the script But my server.crt is only for two years

cat server_JsChip6h5U7Y4Je4.crt | grep -A3 Validity Validity Not Before: Jul 14 06:52:59 2023 GMT Not After : Oct 16 06:52:59 2025 GMT

Why is it so ?

emoxam commented 1 year ago

openssl x509 -in server_JsChip6h5U7Y4Je4.crt -noout -dates notBefore=Jul 14 06:52:59 2023 GMT notAfter=Oct 16 06:52:59 2025 GMT

emoxam commented 1 year ago

I found at script ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=365 ./easyrsa gen-crl

and add before that this string export EASYRSA_CERT_EXPIRE=3650 After uninstall and install server cert created for 10 years.

martijnED commented 1 year ago

this is a really big bug, creating client certs for 10 years but not for server :/

sabbath88 commented 11 months ago

yep. I've just run into a issue because my server cert expired. all rest certs are still valid ;)

sabbath88 commented 11 months ago

workaround: https://github.com/angristan/openvpn-install/issues/1002#issuecomment-1229525488

emoxam commented 11 months ago

workaround: #1002 (comment) Then we need to name new client certs?

sabbath88 commented 11 months ago

workaround: #1002 (comment)

Then we need to name new client certs?

No. If you follow strict to instructions and use the same names for server crt and key then on client side no change need to be perform.

emoxam commented 11 months ago

workaround: #1002 (comment)

Then we need to name new client certs?

No. Id you followed strict to instructions and use the same names for server crt and key then on client side no change need to be performed

Wow. All clients will continue to work without any actions??

sabbath88 commented 11 months ago

workaround: #1002 (comment)

Then we need to name new client certs?

No. Id you followed strict to instructions and use the same names for server crt and key then on client side no change need to be performed

Wow. All clients will continue to work without any actions??

Yeah, exactly (:

emoxam commented 11 months ago

workaround: #1002 (comment)

Then we need to name new client certs?

No. Id you followed strict to instructions and use the same names for server crt and key then on client side no change need to be performed

Wow. All clients will continue to work without any actions??

Yeah, exactly (:

That's great! Thanks!