sudden peer certificate verification faillure

kaneelschep · August 31, 2023, 10:03:33 PM

Hi all.

I have been using openvpn for quite some time now without problems. Since last Thursday though, i get this error on all clients.
Peer certificate verification failure.
Nothing changed on server. Maybe client got updated?
Was there some change in certification rules or so? Can it be expired?
Anyone have an idea?

Thanks!

franco · September 01, 2023, 07:17:25 AM

> Can it be expired?

That would be my guess in lack of more information.

Cheers,
Franco

kaneelschep · September 04, 2023, 12:53:48 PM

I am sorry I dont have more info at the moment. I am on holiday. Thats the whole reason I was using the vpn ;)

And does anyone happen to know the standard expiration date? I thought it was 10 years?

cookiemonster · September 04, 2023, 12:59:21 PM

It's whatever was set when created.
If I rememeber correctly 10 years is for CA, not for server/client certs.

CJ · September 05, 2023, 03:00:53 PM

Expiration date depends on how it was created. Also, there has been a push from various places to reduce the length of time certs are valid for but I'm not sure if that applies to VPNs.

cookiemonster · September 05, 2023, 03:19:02 PM

Not so much for CAs though, that I know of. This push indeed has been happening but is more for clients of webwservers.

kaneelschep · September 10, 2023, 10:04:06 PM

So I got home.
SSLVPN Server Certificate has indeed epired.
It was only valid for a year. User certificate is also almost expired.

I set it up myself, I guess a year ago, using a guide.
I am still learning about what I actually did and how it affects everything. I never did this before.

As I read, there is no simple renewal option. I just have to remake the certificate. And the user.
Is that right?

cookiemonster · September 10, 2023, 10:45:30 PM

technically speaking there is no option to renew a certificate, that is to extend the validity only. Not with openssl that I know of.
That said if you kept your original csr from last time you created it, you can reuse that csr to generate the new cert and then all its attributes are kept.
You don't need to recreate a user.

kaneelschep · September 11, 2023, 02:45:59 PM

Ah yes, I meant the user certificate. as it also expired. I use otp.

I made new certificates.. Not noticing the authority was also expired. ;)
So I did everything twice. I guess I wont forget anymore now.

My VPN works like before again.
Thanks!

cookiemonster · September 11, 2023, 02:53:24 PM

Nice

sudden peer certificate verification faillure

kaneelschep

August 31, 2023, 10:03:33 PM

franco

September 01, 2023, 07:17:25 AM #1

kaneelschep

September 04, 2023, 12:53:48 PM #2

cookiemonster

September 04, 2023, 12:59:21 PM #3

CJ

September 05, 2023, 03:00:53 PM #4

cookiemonster

September 05, 2023, 03:19:02 PM #5

kaneelschep

September 10, 2023, 10:04:06 PM #6

cookiemonster

September 10, 2023, 10:45:30 PM #7

kaneelschep

September 11, 2023, 02:45:59 PM #8

cookiemonster

September 11, 2023, 02:53:24 PM #9