Openvpn Root CA Certificate expired

[aeinnovation]

Hi all,
I setup my openvpn server about a 10 years ago. It's setup on a Gentoo server.

vpn keys # /etc/init.d/openvpn --version
openvpn (OpenRC) 0.23.2 (Gentoo Linux)

I created several configuration files for several devices. All working very well, until some days ago, when I got this error from vpn client:

Tue Jan 25 18:18:01 2022 MANAGEMENT: >STATE:1643131081,WAIT,,,,,,
Tue Jan 25 18:19:01 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 25 18:19:01 2022 TLS Error: TLS handshake failed
Tue Jan 25 18:19:01 2022 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 25 18:19:01 2022 MANAGEMENT: >STATE:1643131141,RECONNECTING,tls-error,,,,,
Tue Jan 25 18:19:01 2022 Restart pause, 5 second(s)
Tue Jan 25 18:19:06 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jan 25 18:19:06 2022 MANAGEMENT: >STATE:1643131146,RESOLVE,,,,,,

Server Configuration file:

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn.crt
key /etc/openvpn/keys/vpn.key
dh /etc/openvpn/keys/dh1024.pem
server 172.17.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/log/ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status.log
verb 3
client-to-client
duplicate-cn

At the end: ca.crt and vpn.crt are expired.

cat vpn.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: ............
Validity
Not Before: Jan 27 10:09:19 2012 GMT
Not After : Jan 24 10:09:19 2022 GMT

At this point:
1) Is there a way to update certificate to all client, with remote workaround? I'm not able to go phisycally to this remote client devices. For example a directive in server configuration file that update client certificates?
2) I must renew/re-generate all certificate: client and server and update every client only with local connection to them?

[openvpn_inc]

Hi all,
I setup my openvpn server about a 10 years ago. It's setup on a Gentoo server.

Hi aei.

I feel your pain. I believe it was 2014 when I went through it.

(snip)

At the end: ca.crt and vpn.crt are expired.

cat vpn.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=CS, L=ZUMPANO, O=SOLAR2YOU, OU=SOLAR2YOU, CN=vpn/name=vpn/emailAddress=info@aiemonline.it
Validity
Not Before: Jan 27 10:09:19 2012 GMT
Not After : Jan 24 10:09:19 2022 GMT

At this point:
1) Is there a way to update certificate to all client, with remote workaround? I'm not able to go phisycally to this remote client devices. For example a directive in server configuration file that update client certificates?
2) I must renew/re-generate all certificate: client and server and update every client only with local connection to them?

At this point there really is no simple fix. If you catch it in enough time before expiration you can cross-sign with another CA. But once your only CA is gone, all your PKI is belong to us. Every client and server will need new certificates and the new CA certificate.

Also maybe before it expired, you could have used an --up script to have clients wget/curl their new CA cert, and if you saved the CSRs, their own new cert as well.

Maybe someone else will have more encouraging ideas? Unfortunately none here, you're sunk.

regards, rob0