[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Expired key?


  • Subject: Re: [Openvpn-users] Expired key?
  • From: "James Yonan" <jim@xxxxxxxx>
  • Date: Mon, 29 Jul 2002 18:28:21 -0600

Hi Bradley,

I've haven't heard of this problem before.  I have personally been running
keys which were generated by the scripts in the "easy-rsa" directory, and
those keys have been working fine for quite a bit more than 30 days.

Have you done anything with these default settings in the openssl.cnf file:

default_days = 365   # how long to certify for
default_crl_days= 30   # how long before next CRL

Maybe somehow default_crl_days is kicking in?

Also, the default -days parameter for openssl req -x509 is 30.  I don't know
if you explicitly used -days when you generated the cert.

Try the following:

openssl x509 -inform PEM  -text -in my-cert.crt

openssl x509 -inform PEM  -text -in my-ca.crt

openssl verify -CAfile my-ca.crt my-cert.crt

This should give us some sense of what OpenSSL thinks about the certs,
independently of OpenVPN.

James

----- Original Message -----
From: "Bradley M Alexander" <storm@xxxxxxx>
To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Monday, July 29, 2002 3:54 PM
Subject: [Openvpn-users] Expired key?


> I'm running into an issue with openvpn 1.3.1. I encountered the same with
> openvpn 1.2.2. Last week, I was on the road and couldn't access the
network
> through openvpn. I found that I was getting a series of
>
> TLS Error: Unroutable control packet received from 216.168.251.140:56351
> (si=3 op=P_CONTROL_V1)
>
> messages on the TLS server side. When I got back and started it manually,
I
> saw a message buried in the TLS server output that said
>
> VERIFY ERROR: depth=1, error=certificate has expired
>
> for the TLS client key. I looked at both keys (the TLS client key was the
> one that showed expired), and found the following (which is how I
> set it up)
>
> TLS server cert:
>         Validity
>             Not Before: Jun 24 17:23:01 2002 GMT
>             Not After : Mar 20 17:23:01 2005 GMT
>
> TLS client cert:
>         Validity
>             Not Before: Jun 24 17:11:41 2002 GMT
>             Not After : Mar 20 17:11:41 2005 GMT
>
> Why are my certs showing as expired when it has only been 30 days since
> generation?
>
> Any help would be greatly appreciated.
>
> --
> --Brad
>
============================================================================
> Bradley M. Alexander                |   storm [at] debian.org
> Debian Developer, Security Engineer |   storm [at] tux.org
> Debian/GNU Linux Developer          | Visit the 99th VFS website at:
> MCO, 99th VFS 'Tuskegee Airmen'     |   http://99thvfs-ta.org
>
============================================================================
> Key fingerprints:
> DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
> RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
>
============================================================================
> Free men do not ask permission to bear arms.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users