OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Can't connect after server cert renewed

https://forums.openvpn.net/viewtopic.php?t=35938

Page 1 of 1

Can't connect after server cert renewed

Posted: Tue Jul 11, 2023 1:53 pm
by mikecd
Our OpenVPN server running on Ubuntu began rejecting connections due to the server cert expiring. I checked the server cert with:
sudo openssl x509 -enddate -noout -in server_W5Eo8q9AByFFBruK.crt
and it is definitely expired.

I then renew it by cd'ing to /etc/openvpn/easy-rsa and running:
sudo ./easyrsa renew server_W5Eo8q9AByFFBruK

I then cd to /etc/openvpn/easy-rsa/pki/issued where I see the renewed cert. I copy this back to /etc/openvpn to replace the old expired cert:
/etc/openvpn/easy-rsa/pki/issued# cp server_W5Eo8q9AByFFBruK.crt /etc/openvpn/
and then verify that the new cert is in /etc/openvpn/

Then I restart OpenVPN:
sudo systemctl restart openvpn@server.service
sudo systemctl restart openvpn.service

However, when I now try to connect with a client, using a previously created conf file (actually I created a new one and the same issues happens), I now get "TLS Error: TLS Key negotiation failed to occur within 60 seconds", "TLS Error: TLS handshake failed".

The server is definitely accessible via the network and FW ports are set correctly.

Does anyone know if I missed a step or something that would cause this issue after a server cert renewal?

Mike

Re: Can't connect after server cert renewed

Posted: Tue Jul 11, 2023 5:32 pm
by mikecd
In syslog, I see the following:
ovpn-server[81238]: Cannot load private key file server_W5Eo8q9AByFFBruK.key
ovpn-server[81238]: Error: private key password verification failed

I'm not sure how to remedy this, as when renewing the server cert, I entered the same password as the key.

Did I miss a step or something?

Mike

Re: Can't connect after server cert renewed

Posted: Tue Jul 11, 2023 8:19 pm
by nehakakar
Check the private key file (server_W5Eo8q9AByFFBruK.key) is present in the correct location (/etc/openvpn/) and that its permissions are set correctly. The file should be readable by the OpenVPN process.
Re-generate and Try

Re: Can't connect after server cert renewed

Posted: Tue Jul 11, 2023 9:53 pm
by mikecd
Yes, the key file exists in /etc/openvpn and the permissions are the same as the cert file.

Is there a way to force the cert to renew/re-generate? When I try now, it indicates that the cert already exists and isn't expired.

Re: Can't connect after server cert renewed

Posted: Wed Jul 12, 2023 3:00 pm
by mikecd
I solved the issue by rebuild more than just the server cert with the following:

sudo rm pki/reqs/server_W5Eo8q9AByFFBruK.req
sudo rm pki/private/server_W5Eo8q9AByFFBruK.key
sudo rm pki/issued/server_W5Eo8q9AByFFBruK.crt
sudo EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_W5Eo8q9AByFFBruK nopass
sudo EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn
sudo cp pki/issued/server_W5Eo8q9AByFFBruK.crt /etc/openvpn
sudo cp pki/private/server_W5Eo8q9AByFFBruK.key /etc/openvpn/

Everything seems to be alright now. Existing client ovpn connections work.

Mike
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/