search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.28k stars 2.91k forks source link

Handle certificate expiration #974

Open olivamauricio opened 2 years ago

olivamauricio commented 2 years ago

Dear, I installed the script and I have the whole environment working, but I don't know when the certificates expire. Through the command below I verified that the ca.crt certificate has a period of 10 years to expire. But the server certificate is only 1 year old and will expire in the next few months. How do I use the script to delay server certificate validity?

openssl x509 -in ca.crt -dates -noout

notBefore=Jul 26 16:59:50 2019 GMT notAfter=Jul 23 16:59:50 2029 GMT

openssl x509 -in server_p---------------.crt -dates -noout

notBefore=Jul 26 16:59:50 2019 GMT notAfter=Jul 10 16:59:50 2022 GMT

I imagine the server will stop working on Jul 10/2022. How to solve this problem? Thanks.

computeus commented 2 years ago

I am also looking for an answer to this issue as my server certificate has expired this morning. Should I reinstall the OpenVPN server or is there a less disruptive solution?

katmai commented 2 years ago

same thing here, the cert expired and nobody can connect. do we have to reinstall and reissue all clients profiles?

nxtreaming commented 2 years ago

+1 same here

BigNerd95 commented 2 years ago

To fix the script you have to prepend EASYRSA_CERT_EXPIRE=3650 to:

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090

So for example it will become: EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full "$SERVER_NAME" nopass

BigNerd95 commented 2 years ago

To fix the certificate of the server:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service
BigNerd95 commented 2 years ago

To fix the certificate of a client:

Get the exact name of a client from this list (the name following CN=):

cat /etc/openvpn/easy-rsa/pki/index.txt

Now generate the new certificate:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/ClientName.req
rm pki/private/ClientName.key
rm pki/issued/ClientName.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "ClientName" nopass
cat pki/issued/ClientName.crt 
cat pki/private/ClientName.key

Inside your ClientName.ovpn replace:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

inside <cert>...</cert> and:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

inside <key>...</key>.

ctcmgm commented 2 years ago

I write a sample perl script update_certs.txt

novalu commented 1 year ago

This should be mentioned in documentation. It makes sense that server certificate expires, but in my case I was shocked why all my VPN clients stopped working. I resolved it by uninstall & install OpenVPN with the script again, but it would be useful an option for regenerating certificate from the script options.

gits7r commented 1 year ago

The wording and behavior in #1085 makes a nicer user experience, for those who don't know or care what these expiration dates are and are not interested into changing them. Just to reference, we are talking about:

It's true that upon revokation or extend, a feature to rm -rf residual stuff in pki is very useful, but maybe we should ask if to use it as in Would you like to clean-up (delete residual certificate and key data?.

When coding this we might take into consideration that we will also implement (optional if chosen by the user) tls-crypt-v2 where the server and each client have a different, unique OpenVPN static key.

ScanCaster commented 1 year ago

To fix the certificate of the server:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service

THANK YOU! Solved my issue today! THANK YOU!

Now JUST a HEADS UP and FYI.. Make sure to use YOUR SERVER NAME in the sequence above! the RANDOM TEXT after **server will be DIFFERENT for EACH INSTALL.**_ Just be aware and heads up for those that may not be aware of this..

Example: cp pki/private/server_(YOUR_SERVER_TEXTNAME).key /etc/openvpn/

Good for 10 years now.. but I am creating some BASH scripts right now for later... and since this will come up on a couple other nodes of my SuperPersonalVPN Network :) :) Got a new node I've not done the install on yet!

Again, THANK YOU!

ScanCaster commented 1 year ago

To fix the script you have to prepend EASYRSA_CERT_EXPIRE=3650 to:

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090

So for example it will become: EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full "$SERVER_NAME" nopass

Going to add these patches for my upcoming new node install! Thank you!

Might even work on adding in my own patches to the script to do this Update Certs, and update the clients afterwards...

Thank you!

ErminMerdanovic commented 1 year ago

If you're looking to also encrypt your private key, a handy tip is to utilize OpenSSL by executing the following command.

openssl pkey -aes256 -in ClientName.key -out ClientName.encrypted.key

hariskhan488 commented 11 months ago

getting error of peer certificate verification failed , today for all of my clients.

is my server certificate has expired ? and how do i renew it ? i don't want to delete all the client files and access.

stefkkkk commented 8 months ago

To fix the certificate of the server:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service

thanks a lot! working like a charm but may be you know also how to deal with ca.crt? I want to set expiration date a little higher, than 10 years

joy2fun commented 6 months ago

For an expired client, I simply added a new user via this: EASYRSA_CERT_EXPIRE=3650 openvpn-install.sh

angristan commented 1 month ago

👋 I've updated to default to 10 years in https://github.com/angristan/openvpn-install/pull/1235

stefkkkk commented 1 month ago

👋 I've updated to default to 10 years in #1235

could you please to write commands, which will update old certs which wasn't previously 10 year old?