openvpn certificate expired

[necroshine]

Hi,

I have setup openvpn a long time ago, and today I got a certificate expired error when trying to connect.

I have already created a new CA, a new server certificate, I changed the OpneVPN server with the news CA and certificate, I created new user certificate, I removed de old one from the vpn client and imported the new one, but the problem persists.

I have already rebooted opnsense, I also tried creating a new openvpn server but its always the same error, don't know more what to do, can anyone help? Thank you

OPNsense version: OPNsense 22.7_4-amd64


Error log:

2023-06-22 15:18:45 VERIFY ERROR: depth=1, error=certificate has expired: C=PT, ST=xxxxx, L=xxxxx, O=xxxxx, emailAddress=xxxxx, CN=internal-sslopenvpn-ca, serial=0
2023-06-22 15:18:45 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-06-22 15:18:45 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-22 15:18:45 TLS Error: TLS object -> incoming plaintext read error
2023-06-22 15:18:45 TLS Error: TLS handshake failed

[kd.gundermann]

ooh, my certificate also expired today. The docs at https://docs.opnsense.org/manual/how-tos/sslvpn_client.html told me to create a SSL VPN CA with only a lifetime of 365 days.
Shouldn't the CA be valid for a longer time ??
As the CA expired we have to replace all Client certificates ??

I will be trying to create new certificates and will report back

[kd.gundermann]

So OpenVPN is running again.

Steps I have taken:
- create new SSL VP CA
- create new SSLVPN Server Certificate
- change VPN->OpenVPN->Servers. Peer Certificate Authority and Server Certificate
- create new User Certificates (System->Access->Users) using as Certificate Authority the new CA
- export new Client config: VPN->OpenVPN->ClientExport