CA certificate expired on openvpn
error 10 at 0 depth
means your server cert has expired, not your CA cert. Issue a new server cert -- for the same privatekey if you like, and definitely for the same DN -- and use that. The whole reason to have/use a CA is so that you can issue child (server and client) certs whenever needed, without the hassle of manually distributing them, only distributing the one CA cert.
Related videos on Youtube
abdel
Updated on September 18, 2022Comments
-
abdel over 1 year
I have a problem with CA certificate on openvpn, it has expired and clients cannot connect. I tried to create a new certificate with the ca.key, but it did not work.
Here is the command I used to create the new certificate:
openssl x509 -in ca.crt -days 3650 -out ca_new.crt -signkey ca.key
After that I changed the openvpn file configuration to indicate that the new certificate is ca_new.crt.
Here is my config file:
port 1194 proto udp dev tun client-to-client ca easy-rsa/keys/ca_new.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key #crl-verify easy-rsa/keys/crl.pem dh easy-rsa/keys/dh1024.pem server 10.0.0.0 255.255.0.0 ifconfig-pool-persist ipp.txt client-config-dir ccd keepalive 10 120 #tls-auth easy-rsa/keys/ta.key 0 #cipher DES-EDE3-CBC comp-lzo max-clients 16129 user nobody group nobody persist-key persist-tun status status.log verb 3 tun-mtu 1500 mssfix 1392
When I check the new certificate using this command
openssl verify -CAfile ca_new.crt server.crt
, I get this message,server.crt: /C=FR/ST=Nord/L=Annoeullin/O=CALEO-CTC/CN=server/[email protected] error 10 at 0 depth lookup:certificate has expired OK
this is the status.log file :
OpenVPN CLIENT LIST Updated,Wed Sep 2 14:38:32 2015 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since UNDEF,193.248.149.52:48211,343,3344,Wed Sep 2 14:38:21 2015 UNDEF,193.50.22.130:33870,341,4712,Wed Sep 2 14:38:16 2015 UNDEF,193.252.209.244:38024,343,7448,Wed Sep 2 14:38:04 2015 UNDEF,82.127.230.103:55210,343,7904,Wed Sep 2 14:38:01 2015 UNDEF,193.50.22.130:54559,341,12920,Wed Sep 2 14:37:35 2015 UNDEF,194.206.44.228:28159,343,4712,Wed Sep 2 14:38:16 2015 UNDEF,92.155.150.105:35158,343,1976,Wed Sep 2 14:38:29 2015 UNDEF,213.30.150.186:50232,343,3800,Wed Sep 2 14:38:21 2015 ...................... ...................... ...................... UNDEF,80.13.217.56:51206,342,5624,Wed Sep 2 14:38:12 2015 UNDEF,194.206.44.228:29930,343,3344,Wed Sep 2 14:38:22 2015 UNDEF,92.155.150.105:45657,343,2888,Wed Sep 2 14:38:23 2015 UNDEF,92.147.131.148:50109,343,9272,Wed Sep 2 14:37:53 2015 UNDEF,109.6.229.178:59124,343,12920,Wed Sep 2 14:37:39 2015 UNDEF,194.206.44.228:32420,343,13376,Wed Sep 2 14:37:34 2015 UNDEF,109.6.229.178:35403,343,2432,Wed Sep 2 14:38:26 2015 UNDEF,82.127.230.103:58576,343,12920,Wed Sep 2 14:37:39 2015 UNDEF,185.39.170.34:20415,343,7904,Wed Sep 2 14:38:02 2015 UNDEF,185.39.170.34:20407,343,11096,Wed Sep 2 14:37:46 2015 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref GLOBAL STATS Max bcast/mcast queue length,0 END
on clients computers there is 4 files :
- client.crt - client.key - ca.crt - config.ovpn
How can I further troubleshoot the issue to figure out the problem? What is the problem?
-
abdel over 8 yearsthanks for your answer, i built a new key and certificate server. my goal is to not change anything on client computer. Is that possible without distributing de new CA cert ?
-
dave_thompson_085 over 8 years@abdel If the old CA cert hasn't expired (and assuming the new server cert is issued using either the old CA cert or a new CA cert that has the same key, Subject=Issuer for CA, and serial, which your
x509 -signkey
would) then your new server cert will work for a client that has/keeps the old CA cert. -
abdel over 8 yearsthanks for your answer, but what will happens if the old CA cert has expired ? clients can't connect until i change the old CA with the new one ?
-
dave_thompson_085 over 8 yearsIf a CA cert has expired, it is no longer valid and a client using it won't trust the cert(s) issued and verified under it, so yes you will need to distribute and install a new CA cert. That's the main reason a CA cert usually has a long validity period, and the CA must keep its privatekey secure for that longer time.