Renew expired OpenSSL certificate on OpenVPN server

If you have a problem with an expired OpenSSL certificate on your OpenVPN server, usually the problem looks like this:

Mon Nov 19 05:42:24 2018 VERIFY ERROR: depth=1, error=certificate has expired: C=XX, ST=xx, L=xx, O=Domain, CN=Domain CA,
Mon Nov 19 05:42:24 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon Nov 19 05:42:24 2018 TLS_ERROR: BIO read tls_read_plaintext error
Mon Nov 19 05:42:24 2018 TLS Error: TLS object -> incoming plaintext read error
Mon Nov 19 05:42:24 2018 TLS Error: TLS handshake failed

you can renew it with the command:

# openssl x509 -in ca.crt -days 3650 -out ca-new.crt -signkey ca.key

And for all VPN Clients, you need to renew “ca.crt” on their computers.

In some situations your may need to renew the server certificate, but before please make a backup of the /etc/openvpn folder.

Renew OpenVPN server certificate:

. vars
./buid-key-server server

And after that restart the OpenVPN server:

# service openvpn restart

Leave a Reply

Your email address will not be published. Required fields are marked *