[Solved]Expired CA - clients can't connect
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Apr 16, 2015 9:02 pm
[Solved]Expired CA - clients can't connect
Hello,
I've been using OpenVPN for more than 10 years, but something has happened today: my CA has expired, so clients can't connect anymore.
I haven't any kind of access to some of them, so I badly need them to reconnect to the server.
I've tried this: http://serverfault.com/questions/306345 ... nd-renewal
But it doesn't seem to work.
Any idea? Thank you in advance.
I've been using OpenVPN for more than 10 years, but something has happened today: my CA has expired, so clients can't connect anymore.
I haven't any kind of access to some of them, so I badly need them to reconnect to the server.
I've tried this: http://serverfault.com/questions/306345 ... nd-renewal
But it doesn't seem to work.
Any idea? Thank you in advance.
Last edited by ecrist on Sat Jan 14, 2017 2:27 am, edited 1 time in total.
Reason: Sticky post - excellent answer useful to many.
Reason: Sticky post - excellent answer useful to many.
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Expired CA - clients can't connect
Your server certificate has expired so you need to create and distribute a new server certificate ..draga wrote:my CA has expired
I am sure it does work ..draga wrote:I've tried this: http://serverfault.com/questions/306345 ... nd-renewal
But it doesn't seem to work.
Server Fault wrote:Awesome reply, thanks! So all hope is not lost, and I will only have to upload the new root cert to all clients ..
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Expired CA - clients can't connect
woops .. please excuse me .. your ca.crt has expired ..Traffic wrote:Your server certificate has expired so you need to create and distribute a new server certificate ..
you need to create and distribute a new ca.crt ..
I am looking into how to do this.
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: Expired CA - clients can't connect
if you create a new ca.crt signed by your existing ca.key
then existing certs are validated against the new ca.crt.
i did checked how to create the new ca.crt and sign it with the existing ca.key
but i didnt had time to use it via openvpn...
Michael.
then existing certs are validated against the new ca.crt.
i did checked how to create the new ca.crt and sign it with the existing ca.key
but i didnt had time to use it via openvpn...
Michael.
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Expired CA - clients can't connect
Using this information:
http://serverfault.com/questions/306345 ... nd-renewal
does not generate a ca.crt with suitable details .. like CA:TRUE
EG:
Working ca.crt:
New (incompatible) ca.crt:
I have tried to pick apart easy-rsa: build-ca and pkitool and openssl-1.0.0.cnf but came up with nothing.
Any further advice would be highly appreciated
http://serverfault.com/questions/306345 ... nd-renewal
does not generate a ca.crt with suitable details .. like CA:TRUE
EG:
Working ca.crt:
Code: Select all
root@deb-760-live:/etc/openvpn/test2048# openssl x509 -noout -text -in ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:24:ad:4c:5c:6d:ed:d3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Jan 10 14:24:22 2015 GMT
Not After : Jan 7 14:24:22 2025 GMT
Subject: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:..
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E2:B9:C6:8D:D7:D3:C8:40:2C:D4:EA:F4:CB:8C:09:35:46:3C:06:22
X509v3 Authority Key Identifier:
keyid:E2:B9:C6:8D:D7:D3:C8:40:2C:D4:EA:F4:CB:8C:09:35:46:3C:06:22
DirName:/C=UK/ST=00/L=London/O=OpenVPN/OU=TEST/CN=test2048/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F8:24:AD:4C:5C:6D:ED:D3
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
37:..
Code: Select all
root@deb-760-live:/etc/openvpn/test2048# openssl x509 -noout -text -in newca.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
aa:ce:09:77:f5:f9:21:5c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/emailAddress=me@myhost.mydomain
Validity
Not Before: Apr 18 14:29:53 2015 GMT
Not After : Feb 16 08:01:37 1979 GMT
Subject: C=UK, ST=00, L=London, O=OpenVPN, OU=TEST, CN=test2048/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:..
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
92:..
Any further advice would be highly appreciated
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: Expired CA - clients can't connect
ok, here is what i tested and it seems to work...
assuming that ca.crt & ca.key is your CA related files and you have a client cert named test.crt and test.key
after that i run:
this creates a new file ca_new.crt which is signed by your EXISTING ca.key
if you check the contents of ca_new.crt it is important that modulus section in both
ca files is the same...
now checking the existing test.crt against the net ca must gives OK
after that i change my openvpn config (the ca directive) to point to the new ca file,
testing by using the existing test.crt cert i can connect fine....
Please check it and see if this works...
Michael.
assuming that ca.crt & ca.key is your CA related files and you have a client cert named test.crt and test.key
after that i run:
Code: Select all
openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key
if you check the contents of ca_new.crt it is important that modulus section in both
ca files is the same...
now checking the existing test.crt against the net ca must gives OK
Code: Select all
openssl verify -CAfile ca_new.crt test.crt
test.crt: OK
testing by using the existing test.crt cert i can connect fine....
Please check it and see if this works...
Michael.
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Expired CA - clients can't connect
Thanks Michael .. that worked fine
Candidate for "sticky" in cert config management/easyrsaman x509 wrote:SIGNING OPTIONS
- The x509 utility can be used to sign certificates and requests: it can thus behave like a "mini CA".
-signkey filename
- this option causes the input file to be self signed using the supplied private key.
If the input file is a certificate it sets the issuer name to the subject name (i.e. makes it self signed) changes the public key to the supplied value and changes the start and end dates. The start date is set to the current time and the end date is set to a value determined by the -days option. Any certificate extensions are retained unless the -clrext option is supplied.