IPsec - Cannot renew Host certificate

Core-Update 187

I need to renew my Host certificate soon…
I saw issue: bug id=13737
But it does not provide a solution (not easy)
The error i got now is:

OpenSSL produced an error:
Using configuration from /etc/ssl/openssl.cnf
ERROR:Already revoked, serial number 01

So how do I proceed ???

thanks

From my understanding there are just two options available.

  1. Create the Root/Host certificate for the IPSec server from scratch, replacing the old one. That will cause all your existing client connections to be removed and require fresh creation. Not a good option if you have a large number of clients set up.
  2. The other option is to make a backup and then edit the /var/ipfire/certs/serial file and replace the 01 with a 02

The second option is the one mentioned in comment 4 in the bug report and allowed the Root/Host certificate set to be renewed.

The backup ensures that if something does not occur as expected that you can go back to your existing situation.

EDIT:
With option 2 the WUI renew function still does not work after incrementing the number in the serial file. Error messages are still produced.

What you have to do is the following, both on the command line:-

  1. Increment the number in the serial file by 1
  2. Run the following command
openssl ca -md sha256 -days 825 -batch -notext -in /var/ipfire/certs/hostreq.pem -out /var/ipfire/certs/hostcert.pem

The following screenshot shows the message that was produced

Screenshot_2024-11-25_22-08-31

and you can see that it ended with the certificate being renewed for 825 days and the database being updated with that status.

So this would be my suggested option to follow.