It's been 10 years since OpenVPN went live on the server. I have more than 100 users and the main CA and server cert have expired. Is there any way to extend them without sending out a new configuration to users?
My server systemdo Debian 9.13
Code: Select all
dev tun0
local XX.XXX.XXX.XXX
tun-mtu 1500
inactive 7200
server 1XX.XX.0.0 255.255.128.0
port 1194
proto udp
management localhost 7505
comp-lzo
crl-verify /etc/openvpn/pki_users/keys/crl.pem
dh /etc/openvpn/pki_users/keys/dh2048.pem
ca /etc/openvpn/pki_users/keys/ca.crt
cert /etc/openvpn/pki_users/keys/router.crt
key /etc/openvpn/pki_users/keys/router.key
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/users_ldap.conf
log-append /var/log/openvpn/openvpn-users.log
Log OpenVPN Client
Tue Feb 14 09:19:20 2023 VERIFY ERROR: depth=1, error=certificate has expired: C=PL, ST=Mazowieckie, L=Warszawa, O=MYCOMPANY, OU=IT, CN=MYCOMPANY CA, emailAddress=admins@MYCOMPANY.pl
Tue Feb 14 09:19:20 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Feb 14 09:19:20 2023 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 14 09:19:20 2023 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 14 09:19:20 2023 TLS Error: TLS handshake failed
Serwer CA
Code: Select all
openssl x509 -noout -text -in ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d6:06:9c:28:6a:c9:b9:e8
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = MYCOMPANY CA, emailAddress = admins@MYCOMPANY.pl
Validity
Not Before: Feb 13 10:49:36 2013 GMT
Not After : Feb 11 10:49:36 2023 GMT
Subject: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = MYCOMPANY CA, emailAddress = admins@MYCOMPANY.pl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e1:29:97:a7:df:68:02:4b:9f:1b:29:9a:e7:e9:
Code: Select all
openssl x509 -noout -text -in router.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = MYCOMPANY CA, emailAddress = admins@MYCOMPANY.pl
Validity
Not Before: Feb 13 10:49:55 2013 GMT
Not After : Feb 11 10:49:55 2023 GMT
Subject: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = router, emailAddress = admins@MYCOMPANY.pl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:e5:56:a1:60:37:12:96:f6:43:59:01:ce:cd:
viewtopic.php?t=18671
Code: Select all
openssl x509 -in ca.crt -days 3650 -out ca_new.crt -signkey ca.key
Code: Select all
openssl x509 -in router.crt -days 3650 -out router_new.crt -signkey router.key
Do you have any ideas? Has anyone had success with this?
Thank you for your help