Openvpn Root CA Certificate expired

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
aeinnovation
OpenVpn Newbie
Posts: 1
Joined: Wed Jan 26, 2022 8:17 am

Openvpn Root CA Certificate expired

Post by aeinnovation » Wed Jan 26, 2022 8:45 am

Hi all,
I setup my openvpn server about a 10 years ago. It's setup on a Gentoo server.
vpn keys # /etc/init.d/openvpn --version
openvpn (OpenRC) 0.23.2 (Gentoo Linux)
I created several configuration files for several devices. All working very well, until some days ago, when I got this error from vpn client:
Tue Jan 25 18:18:01 2022 MANAGEMENT: >STATE:1643131081,WAIT,,,,,,
Tue Jan 25 18:19:01 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 25 18:19:01 2022 TLS Error: TLS handshake failed

Tue Jan 25 18:19:01 2022 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 25 18:19:01 2022 MANAGEMENT: >STATE:1643131141,RECONNECTING,tls-error,,,,,
Tue Jan 25 18:19:01 2022 Restart pause, 5 second(s)
Tue Jan 25 18:19:06 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jan 25 18:19:06 2022 MANAGEMENT: >STATE:1643131146,RESOLVE,,,,,,
Server Configuration file:
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn.crt
key /etc/openvpn/keys/vpn.key
dh /etc/openvpn/keys/dh1024.pem
server 172.17.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/log/ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status.log
verb 3
client-to-client
duplicate-cn
At the end: ca.crt and vpn.crt are expired.
cat vpn.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: ............
Validity
Not Before: Jan 27 10:09:19 2012 GMT
Not After : Jan 24 10:09:19 2022 GMT

At this point:
1) Is there a way to update certificate to all client, with remote workaround? I'm not able to go phisycally to this remote client devices. For example a directive in server configuration file that update client certificates?
2) I must renew/re-generate all certificate: client and server and update every client only with local connection to them?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Openvpn Root CA Certificate expired

Post by openvpn_inc » Wed Jan 26, 2022 11:56 pm

aeinnovation wrote:
Wed Jan 26, 2022 8:45 am
Hi all,
I setup my openvpn server about a 10 years ago. It's setup on a Gentoo server.
Hi aei.

I feel your pain. I believe it was 2014 when I went through it.
aeinnovation wrote:
Wed Jan 26, 2022 8:45 am
(snip)

At the end: ca.crt and vpn.crt are expired.
cat vpn.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=CS, L=ZUMPANO, O=SOLAR2YOU, OU=SOLAR2YOU, CN=vpn/name=vpn/emailAddress=info@aiemonline.it
Validity
Not Before: Jan 27 10:09:19 2012 GMT
Not After : Jan 24 10:09:19 2022 GMT

At this point:
1) Is there a way to update certificate to all client, with remote workaround? I'm not able to go phisycally to this remote client devices. For example a directive in server configuration file that update client certificates?
2) I must renew/re-generate all certificate: client and server and update every client only with local connection to them?
At this point there really is no simple fix. If you catch it in enough time before expiration you can cross-sign with another CA. But once your only CA is gone, all your PKI is belong to us. Every client and server will need new certificates and the new CA certificate.

Also maybe before it expired, you could have used an --up script to have clients wget/curl their new CA cert, and if you saved the CSRs, their own new cert as well.

Maybe someone else will have more encouraging ideas? Unfortunately none here, you're sunk. :(

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply