|
|
Hi Bradley, I've haven't heard of this problem before. I have personally been running keys which were generated by the scripts in the "easy-rsa" directory, and those keys have been working fine for quite a bit more than 30 days. Have you done anything with these default settings in the openssl.cnf file: default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL Maybe somehow default_crl_days is kicking in? Also, the default -days parameter for openssl req -x509 is 30. I don't know if you explicitly used -days when you generated the cert. Try the following: openssl x509 -inform PEM -text -in my-cert.crt openssl x509 -inform PEM -text -in my-ca.crt openssl verify -CAfile my-ca.crt my-cert.crt This should give us some sense of what OpenSSL thinks about the certs, independently of OpenVPN. James ----- Original Message ----- From: "Bradley M Alexander" <storm@xxxxxxx> To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx> Sent: Monday, July 29, 2002 3:54 PM Subject: [Openvpn-users] Expired key? > I'm running into an issue with openvpn 1.3.1. I encountered the same with > openvpn 1.2.2. Last week, I was on the road and couldn't access the network > through openvpn. I found that I was getting a series of > > TLS Error: Unroutable control packet received from 216.168.251.140:56351 > (si=3 op=P_CONTROL_V1) > > messages on the TLS server side. When I got back and started it manually, I > saw a message buried in the TLS server output that said > > VERIFY ERROR: depth=1, error=certificate has expired > > for the TLS client key. I looked at both keys (the TLS client key was the > one that showed expired), and found the following (which is how I > set it up) > > TLS server cert: > Validity > Not Before: Jun 24 17:23:01 2002 GMT > Not After : Mar 20 17:23:01 2005 GMT > > TLS client cert: > Validity > Not Before: Jun 24 17:11:41 2002 GMT > Not After : Mar 20 17:11:41 2005 GMT > > Why are my certs showing as expired when it has only been 30 days since > generation? > > Any help would be greatly appreciated. > > -- > --Brad > ============================================================================ > Bradley M. Alexander | storm [at] debian.org > Debian Developer, Security Engineer | storm [at] tux.org > Debian/GNU Linux Developer | Visit the 99th VFS website at: > MCO, 99th VFS 'Tuskegee Airmen' | http://99thvfs-ta.org > ============================================================================ > Key fingerprints: > DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 > RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 > ============================================================================ > Free men do not ask permission to bear arms. > > > ------------------------------------------------------- > This sf.net email is sponsored by: Dice - The leading online job board > for high-tech professionals. Search and apply for tech jobs today! > http://seeker.dice.com/seeker.epl?rel_code=31 > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |