Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: Arnie on December 30, 2019, 06:57:03 AM

Title: Issue with PHPKI or OpenVPN.
Post by: Arnie on December 30, 2019, 06:57:03 AM

Hi all,

For the second time in about a month, OpenVPN (both bridged and routed) has stopped authenticating users with a "CRL has expired" error. The last time this happened on November 26th, I recreated all the certs (lasting the max 5 years) with PHPKI and got it all working again.

Today, about 35 days since the last time, it has happened again. I never had this issue when I was running SME8 but since I upgraded to SME9 on November 12th, this has happened twice.

I am not sure if this is an issue with PHPKI or OpenVPN but I am leaning toward PHPKI at this point. Has anyone else seen this behavior. I could recreate and deploy the certs again but will I have to do it again in another 35 days?

Please help.

Thanks.

Title: Re: Issue with PHPKI or OpenVPN.
Post by: ReetP on December 30, 2019, 10:18:18 AM

It isn't anything to do with v8/v9.

Have read about "CRL has expired" online.

Just wondering if you generated certs for 35 days and not 365 days? Or more?

Haven't got time to check now. Will look later unless someone else beats me to it.

Title: Re: Issue with PHPKI or OpenVPN.
Post by: Arnie on December 30, 2019, 12:44:15 PM

Quote from: ReetP on December 30, 2019, 10:18:18 AM

Just wondering if you generated certs for 35 days and not 365 days? Or more?

When you create a cert with PHPKI the "Certificate Life" field is a listbox with selections for 3 months, 6 months, 1,2,3,4 and 5 years, so there is no way of generating a cert of only 35 days duration if you use the GUI.

Title: Re: Issue with PHPKI or OpenVPN.
Post by: Arnie on December 30, 2019, 01:23:44 PM

O.K. I needed to get OpenVPN working again so I revoked the server cert and created a new one, as just renewing the old cert didn't fix the issue. OpenVPN is now working again.

After some poking around I found the following...

"/opt/phpki/phpki-store/config/openssl.cnf" has "default_crl_days = 30" defined in it. As I had not used OpenVPN in over a week, it is likely the CRL expired after 30 days and I didn't notice until I just happened to use it on the 35th day.

"/etc/cron.weekly/php_update_crl" is supposed to update the CRL every week. I have checked the cron logs and it is running every 7 days. Running the script manually does update the "nextUpdate" field of the CRL successfully.

The next thing to do is check back in a week and see if the nextUpdate field of the CRL has been updated by the cron script.

Title: Re: Issue with PHPKI or OpenVPN.
Post by: ReetP on December 30, 2019, 02:52:24 PM

Ok.

Was just going to say read here on migrating openvpn bridge certs etc

https://wiki.contribs.org/PHPki

Hopefully you have solved it.

Title: Re: Issue with PHPKI or OpenVPN.
Post by: Jean-Philippe Pialasse on December 31, 2019, 09:09:31 AM

Also to note the max cert life you can get are 10 or 15 years.
I also never had issue migrating my servers to keep having clients connecting over the years... until the server certs expired.
This is not an issue this is by design. So be prepared to access the remote server to update them before it arrives ;).