[OpenVPN] renew certificate for OpenVPN

Posted on By nim No Comments on [OpenVPN] renew certificate for OpenVPN

creator: https://github.com/BananaSorcery

I. Issue

  • When trying connect to Dev bastion host (EC2), I encounter an error in OpenVPN.
  • I use Fleet Manager on AWS to shell into the bastion host.
  • After checking, I saw that the certicate for OpenVPN is expired. The expiration date is Feb 17 06:23:26 2025 GMT(Check the OUTPUT below).
#Command to check 
cat /etc/openvpn/server_jgJkjLf9OGIe5v1Z.crt | grep "Not After"

>> OUTPUT <<
            Not After : Feb 17 06:23:26 2025 GMT

II. Solution

DO NOT RUN ./easyrsa init-pki in any case if there is a problem. This command will re-initialize OpenVPN server and remove all existing users data.

  1. Backup /etc/openvpn folder
cp -r /etc/openvpn /path/to/backup/openvpn_backup

2. Check the Common Name (CN) of the current OpenVPN server. In my case, my server name is server_jgJkjLf9OGIe5v1Z

openssl x509 -in server_jgJkjLf9OGIe5v1Z.crt.old -text -noout | grep "Subject:"


>> OUTPUT <<
Subject: CN = server_jgJkjLf9OGIe5v1Z

3. Go to easy-rsa folder

cd easy-rsa/

4. Check the Certificate Authority (CA) expiration date.

openssl x509 -in ca.crt -text -noout | grep "Not After"

>> OUTPUT <<
Not After : Feb 16 03:43:16 2035 GMT

5. Skip this step if the CA is not expired.

./easyrsa build-ca nopass  # Or with a password if preferred

>> OUPUT <<
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1  11 Sep 2018
read EC key
writing EC key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server_jgJkjLf9OGIe5v1Z

Enter the Common Name in the line Common Name (eg: your user, host, or server name) [Easy-RSA CA]: server_jgJkjLf9OGIe5v1Z

6. Build the Server Certificate

./easyrsa build-server-full server_jgJkjLf9OGIe5v1Z nopass # Or with a password

7. Generate Diffie-Hellman Key

./easyrsa gen-dh

8. Copy Certificates and Keys to OpenVPN Directory

cd pki # Go to the pki directory
cp ca.crt /etc/openvpn/ &&
cp issued/server_jgJkjLf9OGIe5v1Z.crt /etc/openvpn/ &&
cp private/server_jgJkjLf9OGIe5v1Z.key /etc/openvpn/ &&
cp private/ca.key /etc/openvpn/ &&
cp dh.pem /etc/openvpn/ &&
cd .. # Go back to the easy-rsa directory

9. Restart OpenVPN Server to apply the changes

systemctl restart openvpn@server.service
BareMetal

More Related Articles

[Smartctl] Instruction check the health disk of Raspberry. BareMetal
[Kafka-Zookeeper] Starting Kafka and Zookeeper Apache Kafka
[tracetcp] How to perform a tracert command using a specific port. BareMetal
[Prometheus/Grafana] Install Prometheus and Grafana on ubuntu. BareMetal
[Windows] Remove the process that consumes too much CPU. BareMetal
[Ubuntu/LVM] Reattach LVM Disk to new Physical Server. BareMetal

Leave a Reply

Your email address will not be published. Required fields are marked *