Our OpenVPN server running on Ubuntu began rejecting connections due to the server cert expiring. I checked the server cert with:
sudo openssl x509 -enddate -noout -in server_W5Eo8q9AByFFBruK.crt
and it is definitely expired.
I then renew it by cd'ing to /etc/openvpn/easy-rsa and running:
sudo ./easyrsa renew server_W5Eo8q9AByFFBruK
I then cd to /etc/openvpn/easy-rsa/pki/issued where I see the renewed cert. I copy this back to /etc/openvpn to replace the old expired cert:
/etc/openvpn/easy-rsa/pki/issued# cp server_W5Eo8q9AByFFBruK.crt /etc/openvpn/
and then verify that the new cert is in /etc/openvpn/
Then I restart OpenVPN:
sudo systemctl restart openvpn@server.service
sudo systemctl restart openvpn.service
However, when I now try to connect with a client, using a previously created conf file (actually I created a new one and the same issues happens), I now get "TLS Error: TLS Key negotiation failed to occur within 60 seconds", "TLS Error: TLS handshake failed".
The server is definitely accessible via the network and FW ports are set correctly.
Does anyone know if I missed a step or something that would cause this issue after a server cert renewal?
Mike
Can't connect after server cert renewed
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
mikecd
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Jul 11, 2023 12:52 pm
-
mikecd
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Jul 11, 2023 12:52 pm
Re: Can't connect after server cert renewed
In syslog, I see the following:
ovpn-server[81238]: Cannot load private key file server_W5Eo8q9AByFFBruK.key
ovpn-server[81238]: Error: private key password verification failed
I'm not sure how to remedy this, as when renewing the server cert, I entered the same password as the key.
Did I miss a step or something?
Mike
ovpn-server[81238]: Cannot load private key file server_W5Eo8q9AByFFBruK.key
ovpn-server[81238]: Error: private key password verification failed
I'm not sure how to remedy this, as when renewing the server cert, I entered the same password as the key.
Did I miss a step or something?
Mike
-
nehakakar
- OpenVpn Newbie
- Posts: 11
- Joined: Tue Jul 11, 2023 1:29 pm
Re: Can't connect after server cert renewed
Check the private key file (server_W5Eo8q9AByFFBruK.key) is present in the correct location (/etc/openvpn/) and that its permissions are set correctly. The file should be readable by the OpenVPN process.
Re-generate and Try
Re-generate and Try
-
mikecd
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Jul 11, 2023 12:52 pm
Re: Can't connect after server cert renewed
Yes, the key file exists in /etc/openvpn and the permissions are the same as the cert file.
Is there a way to force the cert to renew/re-generate? When I try now, it indicates that the cert already exists and isn't expired.
Is there a way to force the cert to renew/re-generate? When I try now, it indicates that the cert already exists and isn't expired.
-
mikecd
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Jul 11, 2023 12:52 pm
Re: Can't connect after server cert renewed
I solved the issue by rebuild more than just the server cert with the following:
sudo rm pki/reqs/server_W5Eo8q9AByFFBruK.req
sudo rm pki/private/server_W5Eo8q9AByFFBruK.key
sudo rm pki/issued/server_W5Eo8q9AByFFBruK.crt
sudo EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_W5Eo8q9AByFFBruK nopass
sudo EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn
sudo cp pki/issued/server_W5Eo8q9AByFFBruK.crt /etc/openvpn
sudo cp pki/private/server_W5Eo8q9AByFFBruK.key /etc/openvpn/
Everything seems to be alright now. Existing client ovpn connections work.
Mike
sudo rm pki/reqs/server_W5Eo8q9AByFFBruK.req
sudo rm pki/private/server_W5Eo8q9AByFFBruK.key
sudo rm pki/issued/server_W5Eo8q9AByFFBruK.crt
sudo EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_W5Eo8q9AByFFBruK nopass
sudo EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn
sudo cp pki/issued/server_W5Eo8q9AByFFBruK.crt /etc/openvpn
sudo cp pki/private/server_W5Eo8q9AByFFBruK.key /etc/openvpn/
Everything seems to be alright now. Existing client ovpn connections work.
Mike