Page 1 of 1

Client Certificate had expired

Posted: Mon Jul 02, 2018 7:15 pm
by vinny2006
Help. I can't connect to my Asus Merlin OpenVPN setup anymore. After looking at the log file on my client PC I can see this line:

VERIFY ERROR: depth=1, error=certificate has expired

I have 4 files in my OpenVPN config folder:
-ca.crt
-client1.crt
-client1.key
-client1.ovpn


When I use notepad to open those 4 files up the only thing I can see is that in the client1.crt it has this:

Not Before: Jul 3 16:05:05 2008 GMT
Not After : Jul 1 16:05:05 2018 GMT


I tried just changing the date on the "Not After to 2019" but that did not work.

I tried searching the forum but didn't see much on this. Anyone have any step by step instructions on how I can correct this?

I have about 10 clients connecting using this so if I can correct client1 then I can correct the rest.

Thanks.

Vinny

Re: Client Certificate had expired

Posted: Mon Jul 02, 2018 8:38 pm
by TinCanTech
vinny2006 wrote:
Mon Jul 02, 2018 7:15 pm
I tried just changing the date on the "Not After to 2019" but that did not work.
Good !

It is a cryptographically secured certificate and would not be much use if you could edit it with notepad ..

You need to generate a new certificate .. you may need to create an entirely new CA if your 10 years have expired.

If you have to create a new CA start here:
https://github.com/OpenVPN/easy-rsa/releases

Re: Client Certificate had expired

Posted: Mon Jul 02, 2018 8:59 pm
by vinny2006
LOL. Thanks. yeah, I didn't think it would do anything by changing that but then I thought it was worth a shot anyways.

I haven't worked on this since I guess 10 years ago si I'm very rusty on it but sounds like I may have to recreate everything from scratch. Do you know if I have the option to create user passwords for accounts? Meaning the client would have to enter a unique username/password in order to connect? Right now they just have to right click and connect then they're in.

Re: Client Certificate had expired

Posted: Mon Jul 02, 2018 9:43 pm
by TinCanTech
vinny2006 wrote:
Mon Jul 02, 2018 8:59 pm
I haven't worked on this since I guess 10 years ago si I'm very rusty
:D OK .. you will probably want to start with the HOWTO: For OpenVPN Community Edition -- I have it open almost every day.
vinny2006 wrote:
Mon Jul 02, 2018 8:59 pm
Do you know if I have the option to create user passwords for accounts?
Sure 8-)

It's all in the howto, this is the section for you:
https://openvpn.net/index.php/open-sour ... .html#auth

Also, the new openvpn-GUI for Windows is more versatile than before.
(Included with Openvpn installers .. but not for WinXP )

Re: Client Certificate had expired

Posted: Wed Jul 04, 2018 12:51 am
by vinny2006
Thanks a lot. I will look thru these. Happy 4th.

Re: Client Certificate had expired

Posted: Wed Jul 04, 2018 1:44 pm
by vinny2006
TinCanTech, i was able to redo everything. I run an Asus RT-N66U with Merlin. I was able to connect to the office LAN just fine and can see the NAS device on the LAN. However, when I connected there was 1 line of with an error. I was able to correct the other errors like comp-lzo and cipher. But not sure how to correct this error below or whether it is anything to worry about:

Wed Jul 04 09:32:47 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Also, the password link you sent me above is a little confusing. Do you know of a link of a step by step setup? Basically I just want the clients to have to enter a username a password before the clientx.ovpn connects. This way if their laptop is stolen no one can just connect to the office LAN. And when the employee is no longer there I can just maybe change the password for that clientx.ovpn. Even better if when the clientx connects the first time it forces them to create a username and password of their choice.

Thanks.

Re: Client Certificate had expired

Posted: Wed Jul 04, 2018 7:00 pm
by TinCanTech
vinny2006 wrote:
Wed Jul 04, 2018 1:44 pm
But not sure how to correct this error below or whether it is anything to worry about:

Wed Jul 04 09:32:47 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
See --auth-nocache in The Manual v24x
vinny2006 wrote:
Wed Jul 04, 2018 1:44 pm
I just want the clients to have to enter a username a password before the clientx.ovpn connects
All depends on what the clients use to connect .. if it is Windows use the openvpn-GUI

Re: Client Certificate had expired

Posted: Thu Jul 05, 2018 11:41 am
by vinny2006
They are using the Windows Openvpn GUI now but that just simply connect them right in. I'm looking to make it so that when they launch the GUI they have to enter a username and PW before it connects.