[Solved]Expired CA - clients can't connect

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
draga
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 16, 2015 9:02 pm

[Solved]Expired CA - clients can't connect

Post by draga » Thu Apr 16, 2015 9:05 pm

Hello,
I've been using OpenVPN for more than 10 years, but something has happened today: my CA has expired, so clients can't connect anymore.
I haven't any kind of access to some of them, so I badly need them to reconnect to the server.
I've tried this: http://serverfault.com/questions/306345 ... nd-renewal
But it doesn't seem to work.

Any idea? Thank you in advance.
Last edited by ecrist on Sat Jan 14, 2017 2:27 am, edited 1 time in total.
Reason: Sticky post - excellent answer useful to many.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Expired CA - clients can't connect

Post by Traffic » Fri Apr 17, 2015 12:25 pm

draga wrote:my CA has expired
Your server certificate has expired so you need to create and distribute a new server certificate ..
draga wrote:I've tried this: http://serverfault.com/questions/306345 ... nd-renewal
But it doesn't seem to work.
I am sure it does work ..
Server Fault wrote:Awesome reply, thanks! So all hope is not lost, and I will only have to upload the new root cert to all clients ..

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Expired CA - clients can't connect

Post by Traffic » Fri Apr 17, 2015 4:03 pm

Traffic wrote:Your server certificate has expired so you need to create and distribute a new server certificate ..
woops .. please excuse me .. your ca.crt has expired ..
you need to create and distribute a new ca.crt ..
I am looking into how to do this.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Expired CA - clients can't connect

Post by maikcat » Fri Apr 17, 2015 4:48 pm

if you create a new ca.crt signed by your existing ca.key
then existing certs are validated against the new ca.crt.

i did checked how to create the new ca.crt and sign it with the existing ca.key
but i didnt had time to use it via openvpn...

Michael.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Expired CA - clients can't connect

Post by Traffic » Sun Apr 19, 2015 12:08 am

Using this information:
http://serverfault.com/questions/306345 ... nd-renewal

does not generate a ca.crt with suitable details .. like CA:TRUE

EG:

Working ca.crt:

Code: Select all

root@deb-760-live:/etc/openvpn/test2048# openssl x509 -noout -text -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f8:24:ad:4c:5c:6d:ed:d3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/name=EasyRSA/emailAddress=me@myhost.mydomain
        Validity
            Not Before: Jan 10 14:24:22 2015 GMT
            Not After : Jan  7 14:24:22 2025 GMT
        Subject: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/name=EasyRSA/emailAddress=me@myhost.mydomain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:..

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E2:B9:C6:8D:D7:D3:C8:40:2C:D4:EA:F4:CB:8C:09:35:46:3C:06:22
            X509v3 Authority Key Identifier:
                keyid:E2:B9:C6:8D:D7:D3:C8:40:2C:D4:EA:F4:CB:8C:09:35:46:3C:06:22
                DirName:/C=UK/ST=00/L=London/O=OpenVPN/OU=TEST/CN=test2048/name=EasyRSA/emailAddress=me@myhost.mydomain
                serial:F8:24:AD:4C:5C:6D:ED:D3

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         37:..
New (incompatible) ca.crt:

Code: Select all

root@deb-760-live:/etc/openvpn/test2048# openssl x509 -noout -text -in newca.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            aa:ce:09:77:f5:f9:21:5c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/emailAddress=me@myhost.mydomain
        Validity
            Not Before: Apr 18 14:29:53 2015 GMT
            Not After : Feb 16 08:01:37 1979 GMT
        Subject: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/emailAddress=me@myhost.mydomain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:..

                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         92:..
I have tried to pick apart easy-rsa: build-ca and pkitool and openssl-1.0.0.cnf but came up with nothing.

Any further advice would be highly appreciated :D

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Expired CA - clients can't connect

Post by maikcat » Mon Apr 20, 2015 6:34 am

ok, here is what i tested and it seems to work...

assuming that ca.crt & ca.key is your CA related files and you have a client cert named test.crt and test.key

after that i run:

Code: Select all

openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key
this creates a new file ca_new.crt which is signed by your EXISTING ca.key

if you check the contents of ca_new.crt it is important that modulus section in both
ca files is the same...

now checking the existing test.crt against the net ca must gives OK

Code: Select all

openssl verify -CAfile ca_new.crt test.crt
test.crt: OK
after that i change my openvpn config (the ca directive) to point to the new ca file,
testing by using the existing test.crt cert i can connect fine....

Please check it and see if this works...

Michael.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Expired CA - clients can't connect

Post by Traffic » Mon Apr 20, 2015 12:36 pm

Thanks Michael .. that worked fine 8-)
man x509 wrote:SIGNING OPTIONS
  • The x509 utility can be used to sign certificates and requests: it can thus behave like a "mini CA".

    -signkey filename
    • this option causes the input file to be self signed using the supplied private key.

      If the input file is a certificate it sets the issuer name to the subject name (i.e. makes it self signed) changes the public key to the supplied value and changes the start and end dates. The start date is set to the current time and the end date is set to a value determined by the -days option. Any certificate extensions are retained unless the -clrext option is supplied.
Candidate for "sticky" in cert config management/easyrsa :geek:

Locked