Greetings,
Is there any way to extend OpenVPN CA certificate beyond 30 days. Otherwise, every 30 days you have to “regenerate” file through GUI, download, export, etc. I tried changing openssl.cnf:
default_days = 3650 # how long to certify for
default_crl_days= 3650 # how long before next CRL
…but it appears like web api doesn’t use openssl (or at least this config file) to generate the certificate.
Thanks!
Upgraded to 3.003 and no difference. Certificate still expires in 1 month.
It is weird. Its validity period is 3650 days, you can check the usr/bin/cert_manager file. But we will investigate this issue.
@bstn I found the issue. It caused by missing expiration time specified for signed certificate. Will fix it. Please change the function create_certificates on /usr/bin/cert_manager as follow.
create_certificates() {
# CA Authority
openssl req -nodes -x509 -days 3650 -newkey rsa:2048 -outform PEM -out \
$CA_CRT -keyout $CA_KEY -sha1 -subj '/CN=OpenVPN CA' >/dev/null 2>&1
# Server certificate
openssl req -nodes -days 3650 -newkey rsa:2048 -outform PEM -out \
$SERVER_CSR -keyout $SERVER_KEY -sha1 -subj '/CN=OpenVpn server' >/dev/null 2>&1
# Sign request
openssl x509 -days 3650 -req -in $SERVER_CSR -CA $CA_CRT -CAkey $CA_KEY \
-CAcreateserial -clrext -out $SERVER_CRT -sha1 >/dev/null 2>&1
# Client certificate
openssl req -nodes -days 3650 -newkey rsa:2048 -outform PEM -out \
$CLIENT_CSR -keyout $CLIENT_KEY -sha1 -subj '/CN=OpenVpn client' >/dev/null 2>&1
# Sign request
openssl x509 -days 3650 -req -in $CLIENT_CSR -CA $CA_CRT -CAkey $CA_KEY \
-CAcreateserial -clrext -out $CLIENT_CRT -sha1 >/dev/null 2>&1
# Create Diffie-Hellman Key
#openssl dhparam -out $DH_KEY 1024 >/dev/null 2>&1
# Create TLS Key
# openvpn --genkey --secret $TA_KEY
return 0
}
@kyson-lok Thank you! it worked!!! Certificate expiration is now 10 years.
Great job on a fix.
Now, I’ve noticed that 3.003 VPN Server GUI doesn’t have re-generate button like 2.27 had, but I was able to go ssh and run “cert_manager force” and “gen_ovpn force” to re-generate the certificates from the command line.
Again - really appreciate you looking into this problem and fixing it.
Enjoy your weekend!
Thanks for your feedback. Yup! The gui not re-generate button. If the certificate expiration is 10 years, would any users want to re-generate? If someone need this feature, we can add it.
Makes sense, but here are couple of thoughts: how do you generate the initial OpenVPN settings in new GUI? Or, if you believe your .ovpn file got compromised and want to re-generate it?
Also, having an audit log in the GUI for OpenVPN connections to the server may prove to be valuable from the security standpoint.
And the last thing, having a field in the OpenVPN server config setting GUI to type in a custom IP or FQDN (useful for DDNS) so it is saved in the .ovpn file will allow novice users to start using it without having to edit it by hand. It currently saves it with a public IP, but with DHCP that IP will not be long lived.
These are just my suggestions. Love your products and I wish you luck and success with to your company. Thank you again for fixing the problem so quickly.
Thanks for your suggestion. It is a good idea.