[Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
winpunch
OpenVpn Newbie
Posts: 4
Joined: Thu Apr 21, 2016 2:09 pm

[Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate

Post by winpunch » Tue Sep 26, 2023 1:29 pm

Hello everyone,

First sorry for my english it's not my first language.

Thank in advance if you take time to read my post.

We have a OpenVPN Server on a Centos 6.9 machine. I know it's old but we work to replace it eventually.

The certificates of this server expired this week. I tried to renew it but it seem that's not working anymore with the clients.

This is configuration of the server that was made by a colleague who's don't work with us anymore.

Server Config
1
port 1194
2
proto tcp-server
3
dev tun
4
ca keys/organization/ca.crt
5
cert keys/organization/organizationserver.crt
6
key keys/organization/organizationserver.key
7
dh keys/organization/dh2048.pem
8
server 13.67.0.0 255.255.255.0
9
crl-verify keys/organization/crl.pem
10
ifconfig-pool-persist servers/organizationVPN/logs/ipp.txt
11
user nobody
12
group nobody
13
status servers/organizationVPN/logs/openvpn-status.log
14
log-append servers/organizationVPN/logs/openvpn.log
15
verb 4
16
mute 20
17
max-clients 150
18
tun-mtu 1500
19
local 192.168.234.10
20
management 127.0.0.1 8876
21
keepalive 5 30
22
client-config-dir /etc/openvpn/servers/organizationVPN/ccd
23
tls-server
24
comp-lzo
25
persist-key


This is the procedure I followed to renew the certificates :

Code: Select all

sudo openssl x509 -in /etc/openvpn/keys/organization/ca.crt -days 36500 -out /etc/openvpn/keys/organization/ca_new.crt -signkey /etc/openvpn/keys/organization/ca.key
The verification is ok

Code: Select all

sudo openssl verify -CAfile /etc/openvpn/keys/organization/ca_new.crt /etc/openvpn/clients/organizationVPN/vpn-client1/vpn-client1.crt
/etc/openvpn/clients/organizationVPN/vpn-client1/vpn-client1.crt: OK
After I'm not sure if what I have done is right. :|

Code: Select all

sudo openssl x509 -req -in /etc/openvpn/keys/organization/organizationserver.csr -CA /etc/openvpn/keys/organization/organizationserver.crt -CAkey /etc/openvpn/keys/organization/organizationserver.key -CAcreateserial -out /etc/openvpn/keys/organization/organizationserver_new.crt -days 36500
After I changed the configuration for the new certificates and restart OpenVPN
Config changes
1
ca keys/organization/ca_new.crt
2
cert keys/organization/organizationserver_new.crt


On the client side, the message for an expired certificate switched for a self-signed certificate.

[olog]
Tue Sep 26 09:11:58 2023 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=NY, L=New York, O=My Org, OU=Office, CN=organizationserver, emailAddress=me@my.org
Tue Sep 26 09:11:58 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Sep 26 09:11:58 2023 TLS_ERROR: BIO read tls_read_plaintext error
Tue Sep 26 09:11:58 2023 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 26 09:11:58 2023 TLS Error: TLS handshake failed
Tue Sep 26 09:11:58 2023 Fatal TLS error (check_tls_errors_co), restarting
[/olog]

I passed too much time trying to solve this problem. Please, if someone have an idea of what can be done, i'll be grateful.

Thanks alot
Top
winpunch
OpenVpn Newbie
Posts: 4
Joined: Thu Apr 21, 2016 2:09 pm

Re: [Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate

Post by winpunch » Tue Sep 26, 2023 5:06 pm

I created new certificates with new keys and now I have to set the new config to all the clients.
Top
Post Reply

Return to “Cert / Config management”