It appears that when an openvpn user expires, there is no way to renew for another time period. I have been deleting and recreating users as their accounts expire, which requires downloading new config files and copying to the user’s computer. Is this correct? I want to make sure I’m not overlooking a better and/or quicker method of renewing accounts.
Are you experiencing the CRL expiry issue bug that occurred in Core Update 186.
https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816
https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816/7
https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816/11
If yes then you should follow the suggestions in that thread until,Core Update 187 is released as that has the fix for the lack of CRL update.
If you are referring to client certificates running out of their overall validity period, which by default is set to 2 years (730 days) then no there is currently no easy way to renew the certificate in a seamless way. The openssl certificate system doesn’t easily allow it.
There is a bug report raised for this and some steps have been taken to provide the info such as visibility of when the certificates will expire, but currently you still have to create new certificates and copy them to the client systems. The bug is still open and needs further work.
https://bugzilla.ipfire.org/show_bug.cgi?id=11742
Negative.
Yes, this is what I was asking about. Thank you. I will continue generating new users when their 2 year certificates expire. Not a huge deal.
1 Like
Yes, it’s correct that OpenVPN doesn’t natively support renewing expired users without deleting and recreating accounts. You’ll need to generate new config files and distribute them as part of the renewal process.