Cannot delete CA if only one CA exists. (9000)

[hopa]

Hi,

after restoring a Backup as described in https://openvpn.net/vpn-server-resource ... tallation/ i have two CA's in CA Management

• 1. "Current CA"

• 2. "Old CA"

All user profiles (over 500 are bound to the 2. CA (OldCa).
Could anybody tell me how remove the "Current CA" and set the "Old CA" as active CA.
Trying to delete the Current CA" results in

Code: Select all

AUTHRPC_EXCEPT: Cannot delete CA if only one CA exists. (9000)

Nobody could log in, cause of CertErrors.

Thanks in advance,
Pat

[openvpn_inc]

Hello hopa,

OpenVPN Access Server as of version 2.9 is designed to support multiple CAs at the same time. This is done automatically to ensure things will work correctly as time passes and certificate lifetimes can become an issue. Certificates bound to the old CA will also work with the new CA. Access Server will automatically generate a new CA if the current CA is a year or older. Even if you were able to delete the new CA, if the current CA is older than a year, a new one would be created at startup of AS again.

When I test here on OpenVPN Access Server and I have 2 CAs, I can delete the newest one just fine. But of course I cannot delete the last one for obvious reasons, and that is the only time I get to see the message you posted. So to answer your question you can remove the new CA by going to the Admin UI and then to the CA Management page and removing the CA you want to remove right there.

My advice is not to remove CAs that were added automatically by Access Server, unless something is wrong with those certs like it being expired or the wrong algorithm or accidentally added. If you have an old CA where all your client certificate are bound to, and this old CA is not yet expired, and you have a new CA present as well, then this seems to be the expected situation. Clients using certificates with old CAs should still be able to connect just fine. And any new certificates will be tied to the new CA, and will work alongside the old ones.

I am not sure what certerrors you're getting, perhaps you could explain these with more details. Just to be sure - are you running the same or higher version of Access Server that the previous installation that you copied configuration from was running on? If you were to take a newer config and run it on an older Access Server that might cause problems, especially if the older Access Server doesn't even know how to run multiple CAs (like version 2.8.5 or such).

Kind regards,
Johan

[hopa]

Hi Johan,
thank you for your fast answer.

I got the following message when trying to delete Current CA. The Backup files are from a Server running the very old Ver. 2.75
https://ibb.co/KN9mvfN

Best,
Pat

[openvpn_inc]

Hi hopa/pat,

Don't delete any CA. Leave it as it is. From what I can see it is functioning as it should be. Even if you delete the top CA, it will just come right back after a restart of Access Server. However it is odd that you are getting that error message, I cannot explain that. Perhaps something in the backup/restore process went wrong.

Even with the new CA in place, the connections using the old CA should be working. If they are not, as you say, then please provide logs to our support ticket system at https://openvpn.net/support explaining your problem, so we can look into it further. Then we are probably dealing with some unique backup/restore problem with the certificates and that will need to be investigated and resolved.

If you insist on not dealing with the new CA management you can also take your backup and restore it on a 2.7.5 Access Server, that version is still available in our software repository if you use apt to grab an older version. Note that you cannot rollback from 2.10 or 2.9 to an older version. So you'd need your original backup from 2.7.5 and restore it on 2.7.5. Then you can keep running with just one CA. But I should warn you that if you do follow this path of sticking with the old version, it will all stop working in about 3 years from now when the old CA expires. And then you'll be forced to do a complete reset of all your installed VPN clients all at once. It shows in your screenshot that the old CA will expire in 3 years from now. At that time all of those 500 installed clients will stop working altogether.

The proper path forward is to use the latest version of Access Server, with the new CA. Over time in the next 3 years, as people need to do a reinstall or buy a new laptop or phone and need to reimport a profile, they will get those from the Access Server on the new CA. Then they are good for about 9 to 10 years again with the new profiles. And then eventually after 3 years if there are people still using the old CA, they can be contacted (you can see when a profile was last used) and told to get their new profiles. This would be a much more preferable scenario than sticking with an older Access Server with known security issues and bugs all just so you can keep working with one old CA, and with everything ceasing to work in 3 years from now.

Kind regards,
Johan