[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Expired key?


  • Subject: Re: [Openvpn-users] Expired key?
  • From: Patrick Boutilier <boutilpj@xxxxxxxxxxx>
  • Date: Mon, 29 Jul 2002 21:33:34 -0300

Perhaps the root CA certificate has expired?


James Yonan wrote:
Hi Bradley,

I've haven't heard of this problem before.  I have personally been running
keys which were generated by the scripts in the "easy-rsa" directory, and
those keys have been working fine for quite a bit more than 30 days.

Have you done anything with these default settings in the openssl.cnf file:

default_days = 365   # how long to certify for
default_crl_days= 30   # how long before next CRL

Maybe somehow default_crl_days is kicking in?

Also, the default -days parameter for openssl req -x509 is 30.  I don't know
if you explicitly used -days when you generated the cert.

Try the following:

openssl x509 -inform PEM  -text -in my-cert.crt

openssl x509 -inform PEM  -text -in my-ca.crt

openssl verify -CAfile my-ca.crt my-cert.crt

This should give us some sense of what OpenSSL thinks about the certs,
independently of OpenVPN.

James

----- Original Message -----
From: "Bradley M Alexander" <storm@xxxxxxx>
To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Monday, July 29, 2002 3:54 PM
Subject: [Openvpn-users] Expired key?



I'm running into an issue with openvpn 1.3.1. I encountered the same with
openvpn 1.2.2. Last week, I was on the road and couldn't access the

network

through openvpn. I found that I was getting a series of

TLS Error: Unroutable control packet received from 216.168.251.140:56351
(si=3 op=P_CONTROL_V1)

messages on the TLS server side. When I got back and started it manually,

I

saw a message buried in the TLS server output that said

VERIFY ERROR: depth=1, error=certificate has expired

for the TLS client key. I looked at both keys (the TLS client key was the
one that showed expired), and found the following (which is how I
set it up)

TLS server cert:
       Validity
           Not Before: Jun 24 17:23:01 2002 GMT
           Not After : Mar 20 17:23:01 2005 GMT

TLS client cert:
       Validity
           Not Before: Jun 24 17:11:41 2002 GMT
           Not After : Mar 20 17:11:41 2005 GMT

Why are my certs showing as expired when it has only been 30 days since
generation?

Any help would be greatly appreciated.

--
--Brad


============================================================================

Bradley M. Alexander                |   storm [at] debian.org
Debian Developer, Security Engineer |   storm [at] tux.org
Debian/GNU Linux Developer          | Visit the 99th VFS website at:
MCO, 99th VFS 'Tuskegee Airmen'     |   http://99thvfs-ta.org


============================================================================

Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34


============================================================================

Free men do not ask permission to bear arms.


------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users





-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users