OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: Hektor on January 04, 2017, 12:17:29 am
-
Hello and Happy New Year!
I'm running the following OPNsense version at the moment with an OpenVPN server for road warriors:
OPNsense 16.1.20-amd64
FreeBSD 10.2-RELEASE-p19
OpenSSL 1.0.2h 3 May 2016
The OpenVPN Server Mode is set to "Remote Access (SSL/TLS + User Auth)" and everything was running just fine without any issues. I think I'm required to create a new certificate based on the old one and create some certificate chain? I also think I need to increase the OpenVPN server setting "Certificate Depth" from "One" to "Do Not check" just to be sure.
Unfortunately the OpenVPN server certificate expired recently and I'm unable to renew it or create a new certificate based on the original one.
If anyhow possible I don't want to update each and every client but only the server side.
How can I fix that? Any openssl magic is needed I think.
Btw. I located the OpenVPN configuration here:
/var/etc/openvpn/server1.[ca|cert|key] and so on
I found that link but it's pretty verbose and a really complicated topic:
http://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal
Please let me know if you need more details.
-
Hi Hektor,
Happy new year! :)
You can create a new certificate authority and user certificates from System: Trust. It should be relatively easy to mimic the settings of the expired certificates. You can view them from there, too.
Generating new certificate authorities entails switching user certificates, or finding the right options to ignore the expiry within OpenVPN itself. We, however, don't recommend this.
Cheers,
Franco
-
Short update:
I ended up in reinstalling the complete firewall...
I didn't find a way to renew or exchange the OpenVPN server certificate only without updating all clients which is really bad. I hope that was my mistake and it can be fixed with some nice and simple "Update OpenSSL Server Certificate for the next X Years" button in the GUI.
So I also thought "ok, let's do an upgrade, too since there have been a couple of new releases I skipped" and what should I say?
The update to 16.1.12 failed miserably and I had to drive into the company. Apparently there was some bug with FreeBSD running on Hyper-V so the box didn't boot properly anymore. I think it was related to that somehow:
https://forum.pfsense.org/index.php?topic=109952.0
Nevertheless I managed to boot the machine, backup the config so I didn't had to set up everything by hand again and installed the 17.1b which seems to work great so far.
But except of that really bad situation OPNsense is still a really nice project which worked without any problems - it just needs to be set up and than it will run and do it's work ;-)
-
Hi Hektor,
In the EOL Message for 15.7, the Hyper-V disk issue was mentioned as follows:
The FreeBSD version changes from 10.1 to 10.2, mainly for driver updates and general sanity. If you're running Hyper-V, your installed disk may change from /dev/ada0 to /dev/da0 and the system will not boot as a consequence. You can fix this by manually editing /etc/fstab before performing the major upgrade. A reinstall using the import configuration and quick/easy install will work just as well.
I don't know how this would happen if 16.1.20 was already up and running?
Since 16.7, the installer writes persistent UFS/GPT labels that will avoid such issues in the future.
Certificates are created with a default lifetime of 365 days, and whenever users can create these, the lifetime can be edited. If we missed a spot, please let us know.
Cheers,
Franco