• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Renew certificat OpenVPN Server

Scheduled Pinned Locked Moved General pfSense Questions
10 Posts 4 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    flipflip
    last edited by May 31, 2023, 10:06 AM

    Hello everyone,

    My OpenVPN Server certificate was about to expire and I started renewing. Having done it last week authority certificate in 3 clicks I said to myself "come on, it's going to be easy"... Overconfidence....

    The renewal went well but now the vpn does not go up. When I did the renewal I left these parameters

    39b2337d-89a4-44e5-8510-9d61d719f8d3-image.png

    I tried restarting the openvpn daemon but nothing worked. From what I understood from the doc, with the "Reuse key" option checked, it is not necessary to re-deploy the certificate for the clients

    Or did I miss it somewhere.
    Thanks

    N V 2 Replies Last reply May 31, 2023, 1:22 PM Reply Quote 0
    • N
      NollipfSense @flipflip
      last edited by May 31, 2023, 1:22 PM

      @flipflip said in Renew certificat OpenVPN Server:

      From what I understood from the doc, with the "Reuse key" option checked, it is not necessary to re-deploy the certificate for the clients

      According to this: https://docs.netgate.com/pfsense/en/latest/certificates/renew.html

      "For user certificates, the updated certificate must be exported and transmitted to the user. If a new key was generated by the renewal process, it must also be transmitted to the user."

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann @flipflip
        last edited by May 31, 2023, 1:22 PM

        @flipflip said in Renew certificat OpenVPN Server:

        From what I understood from the doc, with the "Reuse key" option checked, it is not necessary to re-deploy the certificate for the clients

        This shouldn't be necessary anyway, when renewing the server certificate. This is only needed, when you change the CA cert.

        Some hints to what's wrong in the OpenVPN log?

        F 1 Reply Last reply May 31, 2023, 1:53 PM Reply Quote 0
        • F
          flipflip @viragomann
          last edited by May 31, 2023, 1:53 PM

          The CA certificate was successfully renewed last week. I did it before expiry and only the validity date has, a priori, been updated. I didn't need to update it on the different VPN clients. It was only this morning when I launched the renewal of the OpenVpn server certificate that it went wrong.

          Update 05/30
          a338f9a5-fa31-46b1-8509-6a3159d41446-image.png

          Update 05/31
          ec499eae-30ee-4c92-b6d7-7e2534f78675-image.png

          I tested by updating the CA certificate by hand on one of the VPN clients and it works.

          In the logs I have no error, just client connection failures.

          Philippe

          V 1 Reply Last reply May 31, 2023, 4:02 PM Reply Quote 0
          • V
            viragomann @flipflip
            last edited by May 31, 2023, 4:02 PM

            @flipflip said in Renew certificat OpenVPN Server:

            The CA certificate was successfully renewed last week. I did it before expiry and only the validity date has, a priori, been updated. I didn't need to update it on the different VPN clients.

            But now you might have to.
            The server certificate is issued from the new CA cert, but the clients still have the old one and verify the server cert to it. Hence they will reject the connection.

            F 1 Reply Last reply Jun 1, 2023, 6:21 AM Reply Quote 0
            • F
              flipflip @viragomann
              last edited by Jun 1, 2023, 6:21 AM

              @viragomann said in Renew certificat OpenVPN Server:

              But now you might have to.
              The server certificate is issued from the new CA cert, but the clients still have the old one and verify the server cert to it. Hence they will reject the connection.

              Ok, now I understand why it doesn't work anymore.

              I made an msi package to deploy the new certificate on Windows clients and for the others I did it by hand.

              Thanks for your help.
              Philippe.

              V 1 Reply Last reply Jun 1, 2023, 6:56 AM Reply Quote 0
              • V
                viragomann @flipflip
                last edited by Jun 1, 2023, 6:56 AM

                @flipflip
                Consider to set a long validity time for the CA certificate, e.g. 20 y.
                So you can renew the clients or server certificates without issues for a long time.

                S 1 Reply Last reply Nov 27, 2024, 10:49 AM Reply Quote 1
                • S
                  sgw @viragomann
                  last edited by Nov 27, 2024, 10:49 AM

                  May I add some question here although the thread is somewhat older.

                  My question matches the topic, I think I know the answer but I want to be SURE before proceeding:

                  On a pfsense (yeah, sure ;-)) I run OpenVPN with its own CA and server cert.

                  The CA cert: Valid Until: Fri, 04 Nov 2033 14:16:13 +0100
                  The OpenVPN server cert issued by that CA: Valid Until: Mon, 09 Dec 2024 14:16:16 +0100

                  So I have to renew the server cert soon.

                  As far as I understand:

                  • the renewal should be easy (one click in the gui, maybe restart the VPN-server?)
                  • this should NOT break anything for the VPN clients: their certs are valid until 2033 as well

                  Am I right with this or do I miss something?

                  The vpn-clients (~30) are spread all over some countries, I should manage to keep the services up (with just the short interruption when renewing the server-cert).

                  Thanks for checking and confirming ...

                  V 1 Reply Last reply Nov 27, 2024, 2:12 PM Reply Quote 0
                  • V
                    viragomann @sgw
                    last edited by Nov 27, 2024, 2:12 PM

                    @sgw said in Renew certificat OpenVPN Server:

                    The CA cert: Valid Until: Fri, 04 Nov 2033 14:16:13 +0100
                    The OpenVPN server cert issued by that CA: Valid Until: Mon, 09 Dec 2024 14:16:16 +0100

                    Yes, if the clients got their certs from this CA, there is no need to do anything on the client side, as long as their certs are still valid.

                    Restarting the server is required to use the renewed cert.

                    S 1 Reply Last reply Nov 28, 2024, 12:22 PM Reply Quote 2
                    • S
                      sgw @viragomann
                      last edited by sgw Dec 15, 2024, 3:43 PM Nov 28, 2024, 12:22 PM

                      @viragomann thank you for the confirming feedback!

                      EDIT: ps: it worked out great, thanks again

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received