Renew certificat OpenVPN Server

flipflip

Hello everyone,

My OpenVPN Server certificate was about to expire and I started renewing. Having done it last week authority certificate in 3 clicks I said to myself "come on, it's going to be easy"... Overconfidence....

The renewal went well but now the vpn does not go up. When I did the renewal I left these parameters

I tried restarting the openvpn daemon but nothing worked. From what I understood from the doc, with the "Reuse key" option checked, it is not necessary to re-deploy the certificate for the clients

Or did I miss it somewhere.
Thanks

NollipfSense

@flipflip said in Renew certificat OpenVPN Server:

From what I understood from the doc, with the "Reuse key" option checked, it is not necessary to re-deploy the certificate for the clients

According to this: https://docs.netgate.com/pfsense/en/latest/certificates/renew.html

"For user certificates, the updated certificate must be exported and transmitted to the user. If a new key was generated by the renewal process, it must also be transmitted to the user."

viragomann

@flipflip said in Renew certificat OpenVPN Server:

From what I understood from the doc, with the "Reuse key" option checked, it is not necessary to re-deploy the certificate for the clients

This shouldn't be necessary anyway, when renewing the server certificate. This is only needed, when you change the CA cert.

Some hints to what's wrong in the OpenVPN log?

flipflip

The CA certificate was successfully renewed last week. I did it before expiry and only the validity date has, a priori, been updated. I didn't need to update it on the different VPN clients. It was only this morning when I launched the renewal of the OpenVpn server certificate that it went wrong.

Update 05/30

Update 05/31

I tested by updating the CA certificate by hand on one of the VPN clients and it works.

In the logs I have no error, just client connection failures.

Philippe

viragomann

@flipflip said in Renew certificat OpenVPN Server:

The CA certificate was successfully renewed last week. I did it before expiry and only the validity date has, a priori, been updated. I didn't need to update it on the different VPN clients.

But now you might have to.
The server certificate is issued from the new CA cert, but the clients still have the old one and verify the server cert to it. Hence they will reject the connection.

flipflip

@viragomann said in Renew certificat OpenVPN Server:

But now you might have to.
The server certificate is issued from the new CA cert, but the clients still have the old one and verify the server cert to it. Hence they will reject the connection.

Ok, now I understand why it doesn't work anymore.

I made an msi package to deploy the new certificate on Windows clients and for the others I did it by hand.

Thanks for your help.
Philippe.

viragomann

@flipflip
Consider to set a long validity time for the CA certificate, e.g. 20 y.
So you can renew the clients or server certificates without issues for a long time.

sgw

May I add some question here although the thread is somewhat older.

My question matches the topic, I think I know the answer but I want to be SURE before proceeding:

On a pfsense (yeah, sure ;-)) I run OpenVPN with its own CA and server cert.

The CA cert: Valid Until: Fri, 04 Nov 2033 14:16:13 +0100
The OpenVPN server cert issued by that CA: Valid Until: Mon, 09 Dec 2024 14:16:16 +0100

So I have to renew the server cert soon.

As far as I understand:

• the renewal should be easy (one click in the gui, maybe restart the VPN-server?)
• this should NOT break anything for the VPN clients: their certs are valid until 2033 as well

Am I right with this or do I miss something?

The vpn-clients (~30) are spread all over some countries, I should manage to keep the services up (with just the short interruption when renewing the server-cert).

Thanks for checking and confirming ...

viragomann

@sgw said in Renew certificat OpenVPN Server:

The CA cert: Valid Until: Fri, 04 Nov 2033 14:16:13 +0100
The OpenVPN server cert issued by that CA: Valid Until: Mon, 09 Dec 2024 14:16:16 +0100

Yes, if the clients got their certs from this CA, there is no need to do anything on the client side, as long as their certs are still valid.

Restarting the server is required to use the renewed cert.

sgw

@viragomann thank you for the confirming feedback!

EDIT: ps: it worked out great, thanks again