Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post Reply
iandarke
OpenVpn Newbie
Posts: 9
Joined: Mon Aug 10, 2015 6:26 pm

Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post by iandarke » Mon Aug 17, 2020 3:29 am

OpenVPN access server appliance (cluster configuration) v2.8.5

This is the error message in OpenVPN logs:

Code: Select all

Sun Aug 16 18:33:21 2020 Sun Aug 16 18:33:21 2020 VERIFY FAIL -- The certificate validity has expired : depth=1
[redacted]
issuer name       : CN=OpenVPN CA
subject name      : CN=OpenVPN CA
issued  on        : 2010-08-12 22:35:13
expires on        : 2020-08-16 22:35:13

Sun Aug 16 18:33:21 2020 Sun Aug 16 18:33:21 2020 VERIFY FAIL -- The certificate validity has expired : depth=0
[redacted]issuer name       : CN=OpenVPN CA
subject name      : CN=OpenVPN Server
issued  on        : 2010-08-12 22:35:13
expires on        : 2020-08-16 22:35:13
This is the certificate used by the VPN itself not the web server and is used to sign all of the client certificates.

I found some instructions based upon generating a new certificate from the old key, but the files that are in:

/usr/local/openvpn_as/etc/web-ssl

Don't seem to be the ones that are being returned to the clients.

Code: Select all

>  openssl x509 -noout -text -in ca.crt.old

Certificate:
  [redacted]
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=OpenVPN Web CA 2018.11.16 12:16:59 PST openvpnas2
        Validity
            Not Before: Nov  9 20:16:59 2018 GMT
            Not After : Nov 13 20:16:59 2028 GMT
I tried updating the ca.crt in this location (even though it didn't match the dates that I was seeing in the client log file) and nothing seems to have changed.

I do see that the certificate that is returned in a client.ovpn is the old/expired version.

I've been googling for well over an hour to no avail. I have a lot of people who aren't going to be able to work tomorrow morning.

Any assistance would be appreciated.

Where is this expired certificate located? How do I retrieve and then replace it? (I think I understand the process of how to update it once I can actually get it)

iandarke
OpenVpn Newbie
Posts: 9
Joined: Mon Aug 10, 2015 6:26 pm

Re: Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post by iandarke » Mon Aug 17, 2020 5:36 am

I found the certificate in certs.db

sqlite3 ../etc/db/certs.db
select cert,priv_key from certificates where common_name = 'OpenVPN CA';

then I create a ca.crt and ca.key file from the select statement above and then ran:

openssl x509 -in ca.crt -days 36500 -out ca.crt.new -signkey ca.key

I then took the contents of ca.crt.new and made that into an update statement

update certificates set cert='-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
' where common_name='OpenVPN CA';

I restarted services with

./sacli stop
./sacli start

And tried reconnecting from a client. The CA cert is no longer showing as expired, but the “CN=OpenVPN Server” cert still is. Now I need to figure out how to update that certificate.

novaflash
OpenVPN Inc.
Posts: 1064
Joined: Fri Apr 13, 2012 8:43 pm

Re: Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post by novaflash » Tue Sep 01, 2020 10:32 pm

With an expired certificate PKI it would be recommend to reinitialize all the certificates using:
cd /usr/local/openvpn_as/scripts/
./sa init

This leaves all other settings intact but resets your certificate infrastructure. All VPN clients will need new client profiles with updated certificates.

It is worth noting that after 10 years, most likely the certificates you are using at only at 1024 bits which is deprecated now. Using sa init on a modern AS will do 2048 bits by default, but you can use --key-size= to specify 4096 as well if you really wanted to (not recommended at this time).

iandarke
OpenVpn Newbie
Posts: 9
Joined: Mon Aug 10, 2015 6:26 pm

Re: Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post by iandarke » Tue Sep 01, 2020 10:34 pm

We backed up the databases, ran the openvpn full ovpn-init script and then restored all of the databases except the certificates -- this seemed to have done the job.

It sounds like we could have saved a few steps w/ just the "init" script as you described.

novaflash
OpenVPN Inc.
Posts: 1064
Joined: Fri Apr 13, 2012 8:43 pm

Re: Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post by novaflash » Tue Sep 01, 2020 10:39 pm

What you did also achieves the same goal - AS will then run that call internally to set up a new certs database. Same thing, different way to get there :-)

iandarke
OpenVpn Newbie
Posts: 9
Joined: Mon Aug 10, 2015 6:26 pm

Re: Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

Post by iandarke » Tue Sep 01, 2020 10:42 pm

I know that future versions of the system are going to handle this better, but it would have been really nice if OTRS warned us when certificates were going to expire. I have nagios monitoring the openvpn web interface's certificate, but it can't monitor the VPN certificates (CA or the individual ones issued). Fortunately for us, by the next time we hit the 10 year mark, this hopefully won't be an issue :)

Post Reply