Cannot connect to VPN: server certificate for vpn.jenkins.io expired

jenkins-infra / helpdesk

Open your Infrastructure related issues here for the Jenkins project

https://github.com/jenkins-infra/helpdesk/issues/new/choose

17 stars 10 forks source link

Cannot connect to VPN: server certificate for vpn.jenkins.io expired #2798

Closed dduportal closed 2 years ago

dduportal commented 2 years ago

Service

VPN

Summary

When connecting to the VPN, the client fails and reports the following error:

depth=0, error=certificate has expired: CN=vpn.jenkins.io, serial=123071077032967492010226398811684689113
2022-02-28 09:15:29.029442 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

It appears that the server certificate as expired.

This error appears for all users.

Reproduction steps

No response

dduportal commented 2 years ago

Tried to rollback to Docker image 1.0.24 (was in production friday and was working as expected): error still present

dduportal commented 2 years ago

CRL is not expired: openssl crl -in ./cert/pki/crl.pem -noout -text => Next Update: May 5 11:02:41 2022 GMT in https://github.com/jenkins-infra/docker-openvpn
CA is not expired: openssl x509 -in ./cert/pki/ca.crt -noout -text -enddate => notAfter=Mar 10 13:21:44 2029 GMT
Checked my VPN client-side configuration: CA is the same, my own certificate is also NOT expired (+ other users have same error)

=> It means that it is a server-side certificate

dduportal commented 2 years ago

As suggested by @halkeye in IRC #jenkins-infra, we checked the NTP server, but it was up, running and synced (even after a full apt upgrade + reboot of the VPN machine)

=> Not the time

dduportal commented 2 years ago

We need to regenerate a server certificate. Waiting for @olblak to share with us the required elements (or to confirm that we have to regenerate a CA and configs).

dduportal commented 2 years ago

Many thanks @olblak for pointing us to the required elements that were already present in https://github.com/jenkins-infra/docker-openvpn (we failed to look on the correct location).

Incoming tasks to fix VPN:

[x] Regenerate a new server-side certificate and test it manually
[x] Update the jenkins-infra/jenkins-infra config as code to use the new certificate (and verify that it applies well to the VM)
Update docker-openvpn documentation to:
- [x] Point the elements that Olivier reminded us (ca.key encrypted)
- [x] Describe the server certificcte generation procedure

dduportal commented 2 years ago

Fix for infra as code (Puppet): https://github.com/jenkins-infra/jenkins-infra/pull/2080
Documentation updated: https://github.com/jenkins-infra/docker-openvpn/pull/144