Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle certificate expiration #974

Open
olivamauricio opened this issue Jan 31, 2022 · 17 comments
Open

Handle certificate expiration #974

olivamauricio opened this issue Jan 31, 2022 · 17 comments

Comments

@olivamauricio
Copy link

Dear, I installed the script and I have the whole environment working, but I don't know when the certificates expire. Through the command below I verified that the ca.crt certificate has a period of 10 years to expire. But the server certificate is only 1 year old and will expire in the next few months.
How do I use the script to delay server certificate validity?

openssl x509 -in ca.crt -dates -noout

notBefore=Jul 26 16:59:50 2019 GMT
notAfter=Jul 23 16:59:50 2029 GMT

openssl x509 -in server_p---------------.crt -dates -noout

notBefore=Jul 26 16:59:50 2019 GMT
notAfter=Jul 10 16:59:50 2022 GMT

I imagine the server will stop working on Jul 10/2022. How to solve this problem? Thanks.

@computeus
Copy link

I am also looking for an answer to this issue as my server certificate has expired this morning. Should I reinstall the OpenVPN server or is there a less disruptive solution?

@katmai
Copy link

katmai commented Feb 22, 2022

same thing here, the cert expired and nobody can connect. do we have to reinstall and reissue all clients profiles?

@nxtreaming
Copy link

+1
same here

@BigNerd95
Copy link

To fix the script you have to prepend EASYRSA_CERT_EXPIRE=3650 to:

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090

So for example it will become:
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full "$SERVER_NAME" nopass

@BigNerd95
Copy link

To fix the certificate of the server:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service

@BigNerd95
Copy link

To fix the certificate of a client:

Get the exact name of a client from this list (the name following CN=):

cat /etc/openvpn/easy-rsa/pki/index.txt

Now generate the new certificate:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/ClientName.req
rm pki/private/ClientName.key
rm pki/issued/ClientName.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "ClientName" nopass
cat pki/issued/ClientName.crt 
cat pki/private/ClientName.key

Inside your ClientName.ovpn replace:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

inside <cert>...</cert>
and:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

inside <key>...</key>.

@ctcmgm
Copy link

ctcmgm commented Aug 9, 2022

I write a sample perl script
update_certs.txt

@novalu
Copy link

novalu commented Nov 27, 2022

This should be mentioned in documentation. It makes sense that server certificate expires, but in my case I was shocked why all my VPN clients stopped working. I resolved it by uninstall & install OpenVPN with the script again, but it would be useful an option for regenerating certificate from the script options.

@angristan angristan changed the title Client expires? Handle certificate expiration Jan 22, 2023
@angristan angristan pinned this issue Jan 22, 2023
@gits7r
Copy link
Contributor

gits7r commented Jan 22, 2023

The wording and behavior in #1085 makes a nicer user experience, for those who don't know or care what these expiration dates are and are not interested into changing them. Just to reference, we are talking about:

  • expiration date of CA
  • expiration date of server cert
  • expiration date of each client's cert

It's true that upon revokation or extend, a feature to rm -rf residual stuff in pki is very useful, but maybe we should ask if to use it as in Would you like to clean-up (delete residual certificate and key data?.

When coding this we might take into consideration that we will also implement (optional if chosen by the user) tls-crypt-v2 where the server and each client have a different, unique OpenVPN static key.

@ScanCaster
Copy link

To fix the certificate of the server:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service

THANK YOU! Solved my issue today! THANK YOU!

Now JUST a HEADS UP and FYI.. Make sure to use YOUR SERVER NAME in the sequence above! the RANDOM TEXT after **server will be DIFFERENT for EACH INSTALL.**_ Just be aware and heads up for those that may not be aware of this..

Example: cp pki/private/server_(YOUR_SERVER_TEXT_NAME_).key /etc/openvpn/

Good for 10 years now.. but I am creating some BASH scripts right now for later... and since this will come up on a couple other nodes of my SuperPersonalVPN Network :) :) Got a new node I've not done the install on yet!

Again, THANK YOU!

@ScanCaster
Copy link

To fix the script you have to prepend EASYRSA_CERT_EXPIRE=3650 to:

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L739

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1086

https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L1090

So for example it will become: EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full "$SERVER_NAME" nopass

Going to add these patches for my upcoming new node install! Thank you!

Might even work on adding in my own patches to the script to do this Update Certs, and update the clients afterwards...

Thank you!

@ErminMerdanovic
Copy link

If you're looking to also encrypt your private key, a handy tip is to utilize OpenSSL by executing the following command.

openssl pkey -aes256 -in ClientName.key -out ClientName.encrypted.key

@hariskhan488
Copy link

getting error of peer certificate verification failed , today for all of my clients.

is my server certificate has expired ? and how do i renew it ? i don't want to delete all the client files and access.

@stefkkkk
Copy link

stefkkkk commented Dec 18, 2023

To fix the certificate of the server:

cd /etc/openvpn/easy-rsa/
rm pki/reqs/server_X194SFMGqcUxbZkB.req
rm pki/private/server_X194SFMGqcUxbZkB.key
rm pki/issued/server_X194SFMGqcUxbZkB.crt
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server_X194SFMGqcUxbZkB nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn
cp pki/issued/server_X194SFMGqcUxbZkB.crt /etc/openvpn
cp pki/private/server_X194SFMGqcUxbZkB.key /etc/openvpn/
systemctl restart openvpn@server.service

thanks a lot! working like a charm
but may be you know also how to deal with ca.crt? I want to set expiration date a little higher, than 10 years

@joy2fun
Copy link

joy2fun commented Feb 18, 2024

For an expired client, I simply added a new user via this:
EASYRSA_CERT_EXPIRE=3650 openvpn-install.sh

@angristan
Copy link
Owner

👋 I've updated to default to 10 years in #1235

@stefkkkk
Copy link

👋 I've updated to default to 10 years in #1235

could you please to write commands, which will update old certs which wasn't previously 10 year old?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests