Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN renew CA and Server cert without renewing client certs?

    Scheduled Pinned Locked Moved OpenVPN
    openvpncertificatetls error
    2 Posts 2 Posters 846 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CoyoteKG
      last edited by CoyoteKG

      Version: 2.5.2-RELEASE

      My CA and OpenVPN certs expired few days ago.
      I renewed those, restarted OpenVPN servers,
      I did not renew client certs since those are valid until 2031.

      But I was not able to connect to the server. I had this error

      TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      

      After I renewed user cert as well I was able to connect to OpenVPN.

      Questions are:

      1. Do I rly need to renew cert for all clients even they are not expired?
      2. Is there any way to renew all certs in place, without any changes on client side?

      This is example of exported client conf

      dev tun
      persist-tun
      persist-key
      ncp-disable
      cipher AES-256-CBC
      auth SHA256
      tls-client
      client
      resolv-retry infinite
      remote vpn.xxx.io 1195 udp4
      lport 0
      verify-x509-name "xxx VPN server" name
      auth-user-pass
      remote-cert-tls server
      explicit-exit-notify
      
      <ca>
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
      </ca>
      <cert>
      -----BEGIN CERTIFICATE-----
      xxx
      -----END CERTIFICATE-----
      </cert>
      <key>
      -----BEGIN PRIVATE KEY-----
      xxx
      -----END PRIVATE KEY-----
      </key>
      key-direction 1
      <tls-auth>
      #
      # 2048 bit OpenVPN static key
      #
      -----BEGIN OpenVPN Static key V1-----
      xxx
      -----END OpenVPN Static key V1-----
      </tls-auth>
      
      J 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @CoyoteKG
        last edited by

        @coyotekg The client certs use the CA as the issuer just like the server certs do so yes, you would need to change them.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.