How to renew CA certificate of PiVPN (OpenVPN)
TL;DR If suddenly you cannot connect to your OpenVPN server based on PiVPN (or other), it is probably because of the CA certificate has expired.
Do:
cat /var/log/openvpn.log
If you find an output similar to the following, it means that (probably) the certificate has expired
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 VERIFY ERROR: depth=0, error=CRL has expired: CN=profile
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 TLS_ERROR: BIO read tls_read_plaintext error
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 TLS Error: TLS object -> incoming plaintext read error
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 TLS Error: TLS handshake failed
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 Fatal TLS error (check_tls_errors_co), restarting
Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 SIGUSR1[soft,tls-error] received, client-instance restarting
Verify the certificate expiration date by typing
cd /etc/openvpn
sudo openssl crl -in crl.pem -text
which will output
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=ChangeMe
Last Update: Jan 21 18:03:50 2019 GMT
Next Update: Jul 20 18:03:50 2019 GMT
CRL extensions:...
...
If the field Next Update
indicates a date earlier than today, then the CA certificate has expired.
To renew it just do:
cd /etc/openvpn/easy-rsa
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/crl.pem
sudo systemctl restart openvpn
Done. Enjoy!