error=certificate has expired

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
rickyvaughn2
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 21, 2022 10:26 pm

error=certificate has expired

Post by rickyvaughn2 » Tue Jun 21, 2022 10:31 pm

Tue Jun 21 17:27:05 2022 VERIFY ERROR: depth=0, error=certificate has expired: CN=server_abc, serial=123

I understand that there is something that expires around 10 years but this install is only 3 years old.

I created all keys at one time. All are getting the same error implying that the certificate has expired. If I create a new key, it has the same error. ALL of these systems that connect to this VPN are remote and unmanned. Is there anything I can do on the server that can fix this?

The whole error when I try to use the new key (same error on the old keys)
Tue Jun 21 17:29:51 2022 VERIFY ERROR: depth=0, error=certificate has expired: CN=server_abc, serial=123
Tue Jun 21 17:29:51 2022 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Jun 21 17:29:51 2022 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jun 21 17:29:51 2022 TLS Error: TLS object -> incoming plaintext read error
Tue Jun 21 17:29:51 2022 TLS Error: TLS handshake failed

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: error=certificate has expired

Post by TinCanTech » Tue Jun 21, 2022 10:42 pm

Your server certificate has expired but not your CA certificate, which means you can make a new server certificate and everything will be ticketty-boo, until your next certificate expires.

You could try the all new Easy-RSA command `show-expire`, if you have the new Easy-RSA (git/master only)

rickyvaughn2
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 21, 2022 10:26 pm

Re: error=certificate has expired

Post by rickyvaughn2 » Wed Jun 22, 2022 1:42 pm

Thank you for the reply :)

rickyvaughn2
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 21, 2022 10:26 pm

Re: error=certificate has expired

Post by rickyvaughn2 » Wed Jun 22, 2022 2:35 pm

I really do not want to mess this up... I believe the cert is /etc/openvpn/server_abc.crt and the key is located at /etc/openvpn/server_abc.key

I ran the command: "openssl x509 -in certificate.crt -text -noout" and I see that it did expire on the 15th

I believe I need to do the following:
Export CSR from the expired certificate: "openssl x509 -x509toreq -in server.crt -signkey server.key -out new-server.csr"
Renew self-signed certificate: "openssl x509 -req -days 365 -in new-server.csr -signkey server.key -out new-server.crt"

Questions:
Can I go more than 365 days? (looks like it is limited to 398)
Will the new-server.crt need to overwrite the existing expired one?
Do these steps look correct to not wreck the existing connections to the VPN and get this back up?

I appreciate the help, this is not my primary skill set :|

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: error=certificate has expired

Post by TinCanTech » Wed Jun 22, 2022 5:07 pm

We support Easy-RSA.

rickyvaughn2
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 21, 2022 10:26 pm

Re: error=certificate has expired

Post by rickyvaughn2 » Wed Jun 22, 2022 5:28 pm

lol, so I am doing this ALL wrong. Got it.

./easy-rsa renew /etc/openvpn/server.crt? (looks like no)

or this: "./easyrsa build-server-full serverName nopass"

If not, can you please point me in some direction?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: error=certificate has expired

Post by TinCanTech » Wed Jun 22, 2022 5:49 pm

Either of those will work but you need to use the new certificate and key in your server config file ..

At this time, I do not endorse the use of `easyrsa renew foo`
https://github.com/OpenVPN/easy-rsa/issues/609

rickyvaughn2
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 21, 2022 10:26 pm

Re: error=certificate has expired

Post by rickyvaughn2 » Wed Jun 22, 2022 6:10 pm

I have no idea what I am doing and nothing is clear here. It seems I have to run init-pki, it is warning me that it is about to remove things. All this is fine?

To be clear, I am happy to pay for this to be done.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: error=certificate has expired

Post by TinCanTech » Wed Jun 22, 2022 7:24 pm

rickyvaughn2 wrote:
Wed Jun 22, 2022 6:10 pm
I am happy to pay for this to be done.
I am available, tincantech at protonmail dot com

rickyvaughn2
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 21, 2022 10:26 pm

Re: error=certificate has expired

Post by rickyvaughn2 » Wed Jun 22, 2022 8:14 pm

great!
email sent :)

sgnoff
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 16, 2023 4:46 pm

Re: error=certificate has expired

Post by sgnoff » Thu Feb 16, 2023 4:53 pm

Hi TnCanTech!

I have the same issue like rickyvaughn2. After 10 years of using openvpn my certificates expired. So I got errors and cannot connect. I read out all forum threads and the "how to" section, but as rickyvaughn2 say:

"I have no idea what I am doing and nothing is clear here. It seems I have to run init-pki, it is warning me that it is about to remove things. All this is fine?
To be clear, I am happy to pay for this to be done."

So please help me...

Dorian
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 07, 2023 9:53 am

Re: error=certificate has expired

Post by Dorian » Sat Feb 18, 2023 8:24 am

There is many possibilies :
- You have a self-signed certificate

If it is the case, your server cert would contain only one :

Code: Select all

--BEGIN CERTIFICATE-- 
blablabla 
--END CERTIFICATE" 
instead of 2 or 3. In this case, the command to do is :

Code: Select all

openssl req -nodes -days 3650 -new -out cert.pem -keyout key.pem -x509
Wait for private key creation then enter informations. And you will have cert.pem as a new certificate and key.pem as your server key up to 10 years (you can change days, expiration is recommended to not exceed 3 years for VPN). Previous one should be deleted. If it does not work, you have an issue with your openssl conf. Don't forget to protect them :

Code: Select all

chown root:root cert.pem
chmod 444 cert.pem
chattr +i cert.pem
chown root:root key.pem
chmod 400 key.pem
chattr +i key.pem
- You have a leaf certificate from an authorative CA

Ask to your authorative to create a new cert.

- You have a leaf certificate from your own CA

Create a new certificate from your interface. I have my website that does this if anyone is interested.

You need to change server configuration with this new file or replace old one. If your client (which is highly possible) has the certificate in their config, you need to change all client config files.

sgnoff
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 16, 2023 4:46 pm

Re: error=certificate has expired

Post by sgnoff » Sat Feb 18, 2023 6:41 pm

Hi Dorian!

Thanks for your message!

A lot of information.

I will try!

sgnoff
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 16, 2023 4:46 pm

Re: error=certificate has expired

Post by sgnoff » Sat Feb 18, 2023 6:47 pm

Hi Dorian!

Could you please tell me your website!

Thank you in advance!

Dorian wrote:
Sat Feb 18, 2023 8:24 am
There is many possibilies :
- You have a self-signed certificate

If it is the case, your server cert would contain only one :

Code: Select all

--BEGIN CERTIFICATE-- 
blablabla 
--END CERTIFICATE" 
instead of 2 or 3. In this case, the command to do is :

Code: Select all

openssl req -nodes -days 3650 -new -out cert.pem -keyout key.pem -x509
Wait for private key creation then enter informations. And you will have cert.pem as a new certificate and key.pem as your server key up to 10 years (you can change days, expiration is recommended to not exceed 3 years for VPN). Previous one should be deleted. If it does not work, you have an issue with your openssl conf. Don't forget to protect them :

Code: Select all

chown root:root cert.pem
chmod 444 cert.pem
chattr +i cert.pem
chown root:root key.pem
chmod 400 key.pem
chattr +i key.pem
- You have a leaf certificate from an authorative CA

Ask to your authorative to create a new cert.

- You have a leaf certificate from your own CA

Create a new certificate from your interface. I have my website that does this if anyone is interested.

You need to change server configuration with this new file or replace old one. If your client (which is highly possible) has the certificate in their config, you need to change all client config files.

Dorian
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 07, 2023 9:53 am

Re: error=certificate has expired

Post by Dorian » Sat Feb 18, 2023 8:12 pm

The website is the same as this email when you can send me a mail : cert at vpntls dot com.

You can send me a CSR or a pgp key and I will send you a certificate.
sgnoff wrote:
Sat Feb 18, 2023 6:47 pm
Hi Dorian!

Could you please tell me your website!

Thank you in advance!

Dorian wrote:
Sat Feb 18, 2023 8:24 am
There is many possibilies :
- You have a self-signed certificate

If it is the case, your server cert would contain only one :

Code: Select all

--BEGIN CERTIFICATE-- 
blablabla 
--END CERTIFICATE" 
instead of 2 or 3. In this case, the command to do is :

Code: Select all

openssl req -nodes -days 3650 -new -out cert.pem -keyout key.pem -x509
Wait for private key creation then enter informations. And you will have cert.pem as a new certificate and key.pem as your server key up to 10 years (you can change days, expiration is recommended to not exceed 3 years for VPN). Previous one should be deleted. If it does not work, you have an issue with your openssl conf. Don't forget to protect them :

Code: Select all

chown root:root cert.pem
chmod 444 cert.pem
chattr +i cert.pem
chown root:root key.pem
chmod 400 key.pem
chattr +i key.pem
- You have a leaf certificate from an authorative CA

Ask to your authorative to create a new cert.

- You have a leaf certificate from your own CA

Create a new certificate from your interface. I have my website that does this if anyone is interested.

You need to change server configuration with this new file or replace old one. If your client (which is highly possible) has the certificate in their config, you need to change all client config files.

Post Reply