Koozali.org: home of the SME Server

Issue with PHPKI or OpenVPN.

Offline Arnie

  • ***
  • 81
  • +0/-0
  • Old Dog, New Tricks.
Issue with PHPKI or OpenVPN.
« on: December 30, 2019, 06:57:03 AM »
Hi all,

For the second time in about a month, OpenVPN (both bridged and routed) has stopped authenticating users with a "CRL has expired" error. The last time this happened on November 26th, I recreated all the certs (lasting the max 5 years) with PHPKI and got it all working again.

Today, about 35 days since the last time, it has happened again. I never had this issue when I was running SME8 but since I upgraded to SME9 on November 12th, this has happened twice.

I am not sure if this is an issue with PHPKI or OpenVPN but I am leaning toward PHPKI at this point. Has anyone else seen this behavior. I could recreate and deploy the certs again but will I have to do it again in another 35 days?

Please help.

Thanks.
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Issue with PHPKI or OpenVPN.
« Reply #1 on: December 30, 2019, 10:18:18 AM »
It isn't anything to do with v8/v9.

Have read about "CRL has expired" online.

Just wondering if you generated certs for 35 days and not 365 days? Or more?

Haven't got time to check now. Will look later unless someone else beats me to it.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Arnie

  • ***
  • 81
  • +0/-0
  • Old Dog, New Tricks.
Re: Issue with PHPKI or OpenVPN.
« Reply #2 on: December 30, 2019, 12:44:15 PM »
Just wondering if you generated certs for 35 days and not 365 days? Or more?

When you create a cert with PHPKI the "Certificate Life" field is a listbox with selections for 3 months, 6 months, 1,2,3,4 and 5 years, so there is no way of generating a cert of only 35 days duration if you use the GUI.
...

Offline Arnie

  • ***
  • 81
  • +0/-0
  • Old Dog, New Tricks.
Re: Issue with PHPKI or OpenVPN.
« Reply #3 on: December 30, 2019, 01:23:44 PM »
O.K. I needed to get OpenVPN working again so I revoked the server cert and created a new one, as just renewing the old cert didn't fix the issue. OpenVPN is now working again.

After some poking around I found the following...

"/opt/phpki/phpki-store/config/openssl.cnf" has "default_crl_days = 30" defined in it. As I had not used OpenVPN in over a week, it is likely the CRL expired after 30 days and I didn't notice until I just happened to use it on the 35th day.

"/etc/cron.weekly/php_update_crl" is supposed to update the CRL every week. I have checked the cron logs and it is running every 7 days. Running the script manually does update the "nextUpdate" field of the CRL successfully.

The next thing to do is check back in a week and see if the nextUpdate field of the CRL has been updated by the cron script.
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Issue with PHPKI or OpenVPN.
« Reply #4 on: December 30, 2019, 02:52:24 PM »
Ok.

Was just going to say read here on migrating openvpn bridge certs etc

https://wiki.contribs.org/PHPki

Hopefully you have solved it.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Issue with PHPKI or OpenVPN.
« Reply #5 on: December 31, 2019, 09:09:31 AM »
Also to note the max cert life you can get are 10 or 15 years.
I also never had issue migrating my servers to keep having clients connecting over the years... until the server certs expired.
This is not an issue this is by design. So be prepared to access the remote server to update them before it arrives ;).