Open olivamauricio opened 2 years ago
I am also looking for an answer to this issue as my server certificate has expired this morning. Should I reinstall the OpenVPN server or is there a less disruptive solution?
same thing here, the cert expired and nobody can connect. do we have to reinstall and reissue all clients profiles?
+1 same here
To fix the script you have to prepend EASYRSA_CERT_EXPIRE=3650
to:
https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739
https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086
https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090
So for example it will become:
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full "$SERVER_NAME" nopass
To fix the certificate of the server:
cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service
To fix the certificate of a client:
Get the exact name of a client from this list (the name following CN=
):
cat /etc/openvpn/easy-rsa/pki/index.txt
Now generate the new certificate:
cd /etc/openvpn/easy-rsa/
rm pki/reqs/ClientName.req
rm pki/private/ClientName.key
rm pki/issued/ClientName.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "ClientName" nopass
cat pki/issued/ClientName.crt
cat pki/private/ClientName.key
Inside your ClientName.ovpn replace:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
inside <cert>...</cert>
and:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
inside <key>...</key>
.
I write a sample perl script update_certs.txt
This should be mentioned in documentation. It makes sense that server certificate expires, but in my case I was shocked why all my VPN clients stopped working. I resolved it by uninstall & install OpenVPN with the script again, but it would be useful an option for regenerating certificate from the script options.
The wording and behavior in #1085 makes a nicer user experience, for those who don't know or care what these expiration dates are and are not interested into changing them. Just to reference, we are talking about:
It's true that upon revokation or extend, a feature to rm -rf
residual stuff in pki
is very useful, but maybe we should ask if to use it as in Would you like to clean-up (delete residual certificate and key data?
.
When coding this we might take into consideration that we will also implement (optional if chosen by the user) tls-crypt-v2
where the server and each client have a different, unique OpenVPN static key.
To fix the certificate of the server:
cd /etc/openvpn/easy-rsa/ rm pki/reqs/server_X194SFMGqcUxbZkB.req rm pki/private/server_X194SFMGqcUxbZkB.key rm pki/issued/server_X194SFMGqcUxbZkB.crt EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl cp pki/crl.pem /etc/openvpn cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/ systemctl restart openvpn@server.service
THANK YOU! Solved my issue today! THANK YOU!
Now JUST a HEADS UP and FYI.. Make sure to use YOUR SERVER NAME in the sequence above! the RANDOM TEXT after **server will be DIFFERENT for EACH INSTALL.**_ Just be aware and heads up for those that may not be aware of this..
Example: cp pki/private/server_(YOUR_SERVER_TEXTNAME).key /etc/openvpn/
Good for 10 years now.. but I am creating some BASH scripts right now for later... and since this will come up on a couple other nodes of my SuperPersonalVPN Network :) :) Got a new node I've not done the install on yet!
Again, THANK YOU!
To fix the script you have to prepend
EASYRSA_CERT_EXPIRE=3650
to:https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739
https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086
https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090
So for example it will become:
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full "$SERVER_NAME" nopass
Going to add these patches for my upcoming new node install! Thank you!
Might even work on adding in my own patches to the script to do this Update Certs, and update the clients afterwards...
Thank you!
If you're looking to also encrypt your private key, a handy tip is to utilize OpenSSL by executing the following command.
openssl pkey -aes256 -in ClientName.key -out ClientName.encrypted.key
getting error of peer certificate verification failed , today for all of my clients.
is my server certificate has expired ? and how do i renew it ? i don't want to delete all the client files and access.
To fix the certificate of the server:
cd /etc/openvpn/easy-rsa/ rm pki/reqs/server_X194SFMGqcUxbZkB.req rm pki/private/server_X194SFMGqcUxbZkB.key rm pki/issued/server_X194SFMGqcUxbZkB.crt EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl cp pki/crl.pem /etc/openvpn cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/ systemctl restart openvpn@server.service
thanks a lot! working like a charm but may be you know also how to deal with ca.crt? I want to set expiration date a little higher, than 10 years
For an expired client, I simply added a new user via this: EASYRSA_CERT_EXPIRE=3650 openvpn-install.sh
👋 I've updated to default to 10 years in https://github.com/angristan/openvpn-install/pull/1235
👋 I've updated to default to 10 years in #1235
could you please to write commands, which will update old certs which wasn't previously 10 year old?
Dear, I installed the script and I have the whole environment working, but I don't know when the certificates expire. Through the command below I verified that the ca.crt certificate has a period of 10 years to expire. But the server certificate is only 1 year old and will expire in the next few months. How do I use the script to delay server certificate validity?
openssl x509 -in ca.crt -dates -noout
notBefore=Jul 26 16:59:50 2019 GMT notAfter=Jul 23 16:59:50 2029 GMT
openssl x509 -in server_p---------------.crt -dates -noout
notBefore=Jul 26 16:59:50 2019 GMT notAfter=Jul 10 16:59:50 2022 GMT
I imagine the server will stop working on Jul 10/2022. How to solve this problem? Thanks.