-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle certificate expiration #974
Comments
I am also looking for an answer to this issue as my server certificate has expired this morning. Should I reinstall the OpenVPN server or is there a less disruptive solution? |
same thing here, the cert expired and nobody can connect. do we have to reinstall and reissue all clients profiles? |
+1 |
To fix the script you have to prepend https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739 https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086 https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090 So for example it will become: |
To fix the certificate of the server: cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart [email protected] |
To fix the certificate of a client: Get the exact name of a client from this list (the name following cat /etc/openvpn/easy-rsa/pki/index.txt Now generate the new certificate: cd /etc/openvpn/easy-rsa/
rm pki/reqs/ClientName.req
rm pki/private/ClientName.key
rm pki/issued/ClientName.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "ClientName" nopass
cat pki/issued/ClientName.crt
cat pki/private/ClientName.key Inside your ClientName.ovpn replace:
inside
inside |
I write a sample perl script |
This should be mentioned in documentation. It makes sense that server certificate expires, but in my case I was shocked why all my VPN clients stopped working. I resolved it by uninstall & install OpenVPN with the script again, but it would be useful an option for regenerating certificate from the script options. |
The wording and behavior in #1085 makes a nicer user experience, for those who don't know or care what these expiration dates are and are not interested into changing them. Just to reference, we are talking about:
It's true that upon revokation or extend, a feature to When coding this we might take into consideration that we will also implement (optional if chosen by the user) |
THANK YOU! Solved my issue today! THANK YOU! Now JUST a HEADS UP and FYI.. Make sure to use YOUR SERVER NAME in the sequence above! the RANDOM TEXT after **server will be DIFFERENT for EACH INSTALL.**_ Just be aware and heads up for those that may not be aware of this.. Example: cp pki/private/server_(YOUR_SERVER_TEXT_NAME_).key /etc/openvpn/ Good for 10 years now.. but I am creating some BASH scripts right now for later... and since this will come up on a couple other nodes of my SuperPersonalVPN Network :) :) Got a new node I've not done the install on yet! Again, THANK YOU! |
Going to add these patches for my upcoming new node install! Thank you! Might even work on adding in my own patches to the script to do this Update Certs, and update the clients afterwards... Thank you! |
If you're looking to also encrypt your private key, a handy tip is to utilize OpenSSL by executing the following command.
|
getting error of peer certificate verification failed , today for all of my clients. is my server certificate has expired ? and how do i renew it ? i don't want to delete all the client files and access. |
thanks a lot! working like a charm |
For an expired client, I simply added a new user via this: |
👋 I've updated to default to 10 years in #1235 |
could you please to write commands, which will update old certs which wasn't previously 10 year old? |
Dear, I installed the script and I have the whole environment working, but I don't know when the certificates expire. Through the command below I verified that the ca.crt certificate has a period of 10 years to expire. But the server certificate is only 1 year old and will expire in the next few months.
How do I use the script to delay server certificate validity?
openssl x509 -in ca.crt -dates -noout
notBefore=Jul 26 16:59:50 2019 GMT
notAfter=Jul 23 16:59:50 2029 GMT
openssl x509 -in server_p---------------.crt -dates -noout
notBefore=Jul 26 16:59:50 2019 GMT
notAfter=Jul 10 16:59:50 2022 GMT
I imagine the server will stop working on Jul 10/2022. How to solve this problem? Thanks.
The text was updated successfully, but these errors were encountered: