Ipsec - how to renew expired certificates?

franco · 6 August 2024 11:53

Hi,
can anyone help me with di issue?

a couple of years ago, I made multiple IPSEC road warrior VPN.
I’ve followed the procedure to genrate the certicates.

Now after 2 years the root certificate is ok:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=xx, ST=xx, L=xxxx, O=xxxxxxxxxxx, OU=xxxx, CN=xxxxxxx CA, emailAddress=xxx@xxxxx.net
        Validity
            Not Before: Apr  8 08:28:58 2022 GMT
            Not After : Apr  5 08:28:58 2032 GMT

but the host certificate expired:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=xx, ST=xx, L=xxxxxx, O=xxxxxxxxx, OU=xxxx, CN=xxxxxxxxx CA, emailAddress=xxx@xxxxxxx.net
        Validity
            Not Before: Apr  8 08:28:58 2022 GMT
            Not After : Jul 11 08:28:58 2024 GMT

and the client certificates expired as well:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IT, ST=MC, L=xxxx, O=xxxxx, OU=xxx, CN=xxxxx CA, emailAddress=xxx@xxx.xx
        Validity
            Not Before: Apr  8 08:37:27 2022 GMT
            Not After : Jul 11 08:37:27 2024 GMT

I’d like to renew the certificates without rebuild all the clients again

Unfortunately I can’t find any assistence, tutorial, ecc.

Thanks
Franco

bonnietwin · 6 August 2024 12:34

Bear in mind that I have not got a lot of experience regarding IPSec.

Looking at the IPSec WUI page I saw a circular arrow icon at the right hand end of the Host Certificate line

Putting my mouse over that icon I got the message Renew Host Certificate.

So it looks like that is intended to allow the Host Certificate to be renewed when it has expired or just before it expires.

So I tested pressing that icon and unfortunately I then got a series of error messages.

Screenshot_2024-08-06_14-23-54

There looks to be a bug in the renewal as it seems to be trying to create the renewed certificate with the same Serial Number.

I will raise a bug report for this.

franco · 6 August 2024 13:01

Thanks Mr. Belka
Cai I ask wich version have you got?
My 183 hasn’t that icon

bonnietwin · 6 August 2024 13:07

I have Core Update 186, the current released version.

I just tested out by creating a new x509 root and host certificate, so not yet expired, and tried pressing the Renew Host Certficate button and it still came up with errors. It looks like the code is not incrementing the serial number.

EDIT:-
I checked in the IPFire git repo and the change to include the Renew Host Certificate was added in Core Update 184

franco · 6 August 2024 13:25

Thank you very much.
I really appreciate your help.

Franco

bonnietwin · 6 August 2024 13:35

Bug has been raised for this issue.

https://bugzilla.ipfire.org/show_bug.cgi?id=13737