Re-new revoked (roadwarrior openvpn) user certificate

NethServer Version: NethServer 7.9.2009
Module: OpenVPN

I would like to request assistance in one of our users. Checking on the generated OpenVPN client configuration of user, I found out that the Authentication Certificate is null:

image

I’m unsure if this is due to the certificate being revoked:
image

Note that this is an AD (Microsoft AD) user and the only one having this behavior. Also, the date of expiration has yet to be reached.

Also unsure how this has been revoked. Is there any way to re-new the certificate so I can check whether that is the problem.

Thank you in advance!

Did you already try to recreate the vpn user?

Does following command show the certificate?

/usr/libexec/nethserver/openvpn-local-client user@ad.domain.tld

To renew the certificate:

/usr/libexec/nethserver/pki-vpn-renew user@ad.domain.tld

You can find more information in the developer docs.

Hi @mrmarkuz, thanks.

Did you already try to recreate the vpn user?

I actually removed and recreated system user. Still the same.

Does following command show the certificate?
/usr/libexec/nethserver/openvpn-local-client user@ad.domain.tld

Authentication certificate still empty.

image

To renew the certificate:
/usr/libexec/nethserver/pki-vpn-renew user@ad.domain.tld

Output below with error.
image

Only this user has error in certificate.

Thanks again!

When renewing cert, only .crt and .p12 seems to be generated.
No .csr and .key

I’ve already issued the revocation and renewal several times. Revoke removes the both .crt and .p12 from /var/lib/nethserver/certs folder.

Tried the /usr/libexec/nethserver/pki-vpn-gencert command, it informed me that the certificate already exist. Revoke and renew, again, only .crt and .p12 files were generated.

Checking (/usr/libexec/nethserver/openvpn-local-client command), now no authentication cert and key:
image

User still revoked:
image

Did you already try to move away/rename csr and key to force recreation?

Hi @mrmarkuz, sorry, no. I’ve not found those files.

I found that you may need to use another commonname:

https://programmerah.com/openssl-txt_db-error-number-2-failed-to-update-database-3075/

Does it work if you delete and recreate the user in AD?

Thanks @mrmarkuz. No, have not tried it since it is already a user with a lot of files and connected to AAD as well.

What I did, as a workaround, though is create another AD user for that specific user which she will only use for OpenVPN.

Again, thanks!

1 Like