Help! Internal openVPN 10 year cert - has expired. No clients can connect. Can't find the cert

[iandarke]

OpenVPN access server appliance (cluster configuration) v2.8.5

This is the error message in OpenVPN logs:

Code: Select all

Sun Aug 16 18:33:21 2020 Sun Aug 16 18:33:21 2020 VERIFY FAIL -- The certificate validity has expired : depth=1
[redacted]
issuer name       : CN=OpenVPN CA
subject name      : CN=OpenVPN CA
issued  on        : 2010-08-12 22:35:13
expires on        : 2020-08-16 22:35:13

Sun Aug 16 18:33:21 2020 Sun Aug 16 18:33:21 2020 VERIFY FAIL -- The certificate validity has expired : depth=0
[redacted]issuer name       : CN=OpenVPN CA
subject name      : CN=OpenVPN Server
issued  on        : 2010-08-12 22:35:13
expires on        : 2020-08-16 22:35:13

This is the certificate used by the VPN itself not the web server and is used to sign all of the client certificates.

I found some instructions based upon generating a new certificate from the old key, but the files that are in:

/usr/local/openvpn_as/etc/web-ssl

Don't seem to be the ones that are being returned to the clients.

Code: Select all

>  openssl x509 -noout -text -in ca.crt.old

Certificate:
  [redacted]
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=OpenVPN Web CA 2018.11.16 12:16:59 PST openvpnas2
        Validity
            Not Before: Nov  9 20:16:59 2018 GMT
            Not After : Nov 13 20:16:59 2028 GMT

I tried updating the ca.crt in this location (even though it didn't match the dates that I was seeing in the client log file) and nothing seems to have changed.

I do see that the certificate that is returned in a client.ovpn is the old/expired version.

I've been googling for well over an hour to no avail. I have a lot of people who aren't going to be able to work tomorrow morning.

Any assistance would be appreciated.

Where is this expired certificate located? How do I retrieve and then replace it? (I think I understand the process of how to update it once I can actually get it)

[iandarke]

I found the certificate in certs.db

sqlite3 ../etc/db/certs.db
select cert,priv_key from certificates where common_name = 'OpenVPN CA';

then I create a ca.crt and ca.key file from the select statement above and then ran:

openssl x509 -in ca.crt -days 36500 -out ca.crt.new -signkey ca.key

I then took the contents of ca.crt.new and made that into an update statement

update certificates set cert='-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
' where common_name='OpenVPN CA';

I restarted services with

./sacli stop
./sacli start

And tried reconnecting from a client. The CA cert is no longer showing as expired, but the “CN=OpenVPN Server” cert still is. Now I need to figure out how to update that certificate.

[novaflash]

With an expired certificate PKI it would be recommend to reinitialize all the certificates using:
cd /usr/local/openvpn_as/scripts/
./sa init

This leaves all other settings intact but resets your certificate infrastructure. All VPN clients will need new client profiles with updated certificates.

It is worth noting that after 10 years, most likely the certificates you are using at only at 1024 bits which is deprecated now. Using sa init on a modern AS will do 2048 bits by default, but you can use --key-size= to specify 4096 as well if you really wanted to (not recommended at this time).

[iandarke]

We backed up the databases, ran the openvpn full ovpn-init script and then restored all of the databases except the certificates -- this seemed to have done the job.

It sounds like we could have saved a few steps w/ just the "init" script as you described.

[novaflash]

What you did also achieves the same goal - AS will then run that call internally to set up a new certs database. Same thing, different way to get there

[iandarke]

I know that future versions of the system are going to handle this better, but it would have been really nice if OTRS warned us when certificates were going to expire. I have nagios monitoring the openvpn web interface's certificate, but it can't monitor the VPN certificates (CA or the individual ones issued). Fortunately for us, by the next time we hit the 10 year mark, this hopefully won't be an issue

[Scryden]

I am having the exact same problem. The CA certificate expired yesterday and nobody is able to connect to the VPN anymore. I have also been googling for well over an hour and there is no clear step-by-step procedure to be found. Not everyone is an expert at this stuff and just knows what to do. Could you please describe step by step what I need to do to renew this CA certificate? I issued the query in sqlite3 against the certs.db and it returns the BEGIN and END of the certificate and the private key used, and I then created a crt and key file as described earlier in this thread. Then I created a new crt file using the OpenSSL command and updated the value in the certs.db and restarted the services with sacli. When I now connect to the VPN as a client I still get the old SSL certificate that is expired but the CA cert if now valid again.

I then tried the ./sa init command but after that the client VPN connection attempt now results in NETWORK_EOF_ERROR when trying to connect. I'm at a loss here.

If someone could guide me step by step what to do that would be highly appreciated.

[Scryden]

I am having the exact same problem. The CA certificate expired yesterday and nobody is able to connect to the VPN anymore. I have also been googling for well over an hour and there is no clear step-by-step procedure to be found. Not everyone is an expert at this stuff and just knows what to do. Could you please describe step by step what I need to do to renew this CA certificate? I issued the query in sqlite3 against the certs.db and it returns the BEGIN and END of the certificate and the private key used, and I then created a crt and key file as described earlier in this thread. Then I created a new crt file using the OpenSSL command and updated the value in the certs.db and restarted the services with sacli. When I now connect to the VPN as a client I still get the old SSL certificate that is expired but the CA cert if now valid again.

I then tried the ./sa init command but after that the client VPN connection attempt now results in NETWORK_EOF_ERROR when trying to connect. I'm at a loss here.

If someone could guide me step by step what to do that would be highly appreciated.

My issue is fixed. I went the same route of backing up all databases, running the ovpn-init script in /usr/local/openvpn_as/bin/ and then restoring all databases except the certs.db. This resolves the issue for another 10 years. You do have to login to admin UI and reconfigure some of your settings like which subnets should be accessible through the VPN server. It loses those settings after this procedure.

[j.masson@mertz.fr]

Same problem here...
I was installing the latest Openvpn Appliance after 2 days of research for this problem when i find this post.

Thanks to Novaflash with the command "./sa init"
you just saved my 10 perpetuals licences on my 1.8.4 box.

have all an happy new year !