Re-new revoked (roadwarrior openvpn) user certificate

vhinzsanchez · May 4, 2022, 8:12am

NethServer Version: NethServer 7.9.2009
Module: OpenVPN

I would like to request assistance in one of our users. Checking on the generated OpenVPN client configuration of user, I found out that the Authentication Certificate is null:

I’m unsure if this is due to the certificate being revoked:

Note that this is an AD (Microsoft AD) user and the only one having this behavior. Also, the date of expiration has yet to be reached.

Also unsure how this has been revoked. Is there any way to re-new the certificate so I can check whether that is the problem.

Thank you in advance!

mrmarkuz · May 4, 2022, 10:33pm

Did you already try to recreate the vpn user?

Does following command show the certificate?

/usr/libexec/nethserver/openvpn-local-client user@ad.domain.tld

To renew the certificate:

/usr/libexec/nethserver/pki-vpn-renew user@ad.domain.tld

You can find more information in the developer docs.

vhinzsanchez · May 5, 2022, 1:29am

Hi @mrmarkuz, thanks.

Did you already try to recreate the vpn user?

I actually removed and recreated system user. Still the same.

Does following command show the certificate?
/usr/libexec/nethserver/openvpn-local-client user@ad.domain.tld

Authentication certificate still empty.

To renew the certificate:
/usr/libexec/nethserver/pki-vpn-renew user@ad.domain.tld

Output below with error.

Only this user has error in certificate.

Thanks again!

vhinzsanchez · May 5, 2022, 2:28am

When renewing cert, only .crt and .p12 seems to be generated.
No .csr and .key

I’ve already issued the revocation and renewal several times. Revoke removes the both .crt and .p12 from /var/lib/nethserver/certs folder.

Tried the /usr/libexec/nethserver/pki-vpn-gencert command, it informed me that the certificate already exist. Revoke and renew, again, only .crt and .p12 files were generated.

Checking (/usr/libexec/nethserver/openvpn-local-client command), now no authentication cert and key:

User still revoked:

mrmarkuz · May 5, 2022, 11:40am

Did you already try to move away/rename csr and key to force recreation?

vhinzsanchez · May 5, 2022, 11:49pm

Hi @mrmarkuz, sorry, no. I’ve not found those files.

mrmarkuz · May 6, 2022, 8:47am

I found that you may need to use another commonname:

https://programmerah.com/openssl-txt_db-error-number-2-failed-to-update-database-3075/

Does it work if you delete and recreate the user in AD?

vhinzsanchez · May 10, 2022, 1:08am

Thanks @mrmarkuz. No, have not tried it since it is already a user with a lot of files and connected to AAD as well.

What I did, as a workaround, though is create another AD user for that specific user which she will only use for OpenVPN.

Again, thanks!