[Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
winpunch
OpenVpn Newbie
Posts: 4
Joined: Thu Apr 21, 2016 2:09 pm

[Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate

Post by winpunch » Tue Sep 26, 2023 1:29 pm

Hello everyone,

First sorry for my english it's not my first language.

Thank in advance if you take time to read my post.

We have a OpenVPN Server on a Centos 6.9 machine. I know it's old but we work to replace it eventually.

The certificates of this server expired this week. I tried to renew it but it seem that's not working anymore with the clients.

This is configuration of the server that was made by a colleague who's don't work with us anymore.

Server Config

port 1194
proto tcp-server
dev tun
ca keys/organization/ca.crt
cert keys/organization/organizationserver.crt
key keys/organization/organizationserver.key
dh keys/organization/dh2048.pem
server 13.67.0.0 255.255.255.0
crl-verify keys/organization/crl.pem
ifconfig-pool-persist servers/organizationVPN/logs/ipp.txt
user nobody
group nobody
status servers/organizationVPN/logs/openvpn-status.log
log-append servers/organizationVPN/logs/openvpn.log
verb 4
mute 20
max-clients 150
tun-mtu 1500
local 192.168.234.10
management 127.0.0.1 8876
keepalive 5 30
client-config-dir /etc/openvpn/servers/organizationVPN/ccd
tls-server
comp-lzo
persist-key


This is the procedure I followed to renew the certificates :

Code: Select all

sudo openssl x509 -in /etc/openvpn/keys/organization/ca.crt -days 36500 -out /etc/openvpn/keys/organization/ca_new.crt -signkey /etc/openvpn/keys/organization/ca.key
The verification is ok

Code: Select all

sudo openssl verify -CAfile /etc/openvpn/keys/organization/ca_new.crt /etc/openvpn/clients/organizationVPN/vpn-client1/vpn-client1.crt
/etc/openvpn/clients/organizationVPN/vpn-client1/vpn-client1.crt: OK
After I'm not sure if what I have done is right. :|

Code: Select all

sudo openssl x509 -req -in /etc/openvpn/keys/organization/organizationserver.csr -CA /etc/openvpn/keys/organization/organizationserver.crt -CAkey /etc/openvpn/keys/organization/organizationserver.key -CAcreateserial -out /etc/openvpn/keys/organization/organizationserver_new.crt -days 36500
After I changed the configuration for the new certificates and restart OpenVPN
Config changes

ca keys/organization/ca_new.crt
cert keys/organization/organizationserver_new.crt


On the client side, the message for an expired certificate switched for a self-signed certificate.

[olog]
Tue Sep 26 09:11:58 2023 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=NY, L=New York, O=My Org, OU=Office, CN=organizationserver, emailAddress=me@my.org
Tue Sep 26 09:11:58 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Sep 26 09:11:58 2023 TLS_ERROR: BIO read tls_read_plaintext error
Tue Sep 26 09:11:58 2023 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 26 09:11:58 2023 TLS Error: TLS handshake failed
Tue Sep 26 09:11:58 2023 Fatal TLS error (check_tls_errors_co), restarting
[/olog]

I passed too much time trying to solve this problem. Please, if someone have an idea of what can be done, i'll be grateful.

Thanks alot
Top
winpunch
OpenVpn Newbie
Posts: 4
Joined: Thu Apr 21, 2016 2:09 pm

Re: [Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate

Post by winpunch » Tue Sep 26, 2023 5:06 pm

I created new certificates with new keys and now I have to set the new config to all the clients.
Top
Post Reply

Return to “Cert / Config management”