Is there any way to extend OpenVPN CA certificate beyond 30 days. Otherwise, every 30 days you have to “regenerate” file through GUI, download, export, etc. I tried changing openssl.cnf:
default_days = 3650 # how long to certify for
default_crl_days= 3650 # how long before next CRL
…but it appears like web api doesn’t use openssl (or at least this config file) to generate the certificate.
@bstn I found the issue. It caused by missing expiration time specified for signed certificate. Will fix it. Please change the function create_certificates on /usr/bin/cert_manager as follow.
@kyson-lok Thank you! it worked!!! Certificate expiration is now 10 years.
Great job on a fix.
Now, I’ve noticed that 3.003 VPN Server GUI doesn’t have re-generate button like 2.27 had, but I was able to go ssh and run “cert_manager force” and “gen_ovpn force” to re-generate the certificates from the command line.
Again - really appreciate you looking into this problem and fixing it.
Thanks for your feedback. Yup! The gui not re-generate button. If the certificate expiration is 10 years, would any users want to re-generate? If someone need this feature, we can add it.
Makes sense, but here are couple of thoughts: how do you generate the initial OpenVPN settings in new GUI? Or, if you believe your .ovpn file got compromised and want to re-generate it?
Also, having an audit log in the GUI for OpenVPN connections to the server may prove to be valuable from the security standpoint.
And the last thing, having a field in the OpenVPN server config setting GUI to type in a custom IP or FQDN (useful for DDNS) so it is saved in the .ovpn file will allow novice users to start using it without having to edit it by hand. It currently saves it with a public IP, but with DHCP that IP will not be long lived.
These are just my suggestions. Love your products and I wish you luck and success with to your company. Thank you again for fixing the problem so quickly.