[PLUG] Check your OpenVPN certification expire dates

Keith Lofstrom keithl at kl-ic.com
Mon Feb 29 02:06:45 UTC 2016


Check the expire dates on your openvpn encryption keys
and certifications!

Friday morning, anticipating an important email that was
worth $600 to answer ... I instead I saw a string of
mail failure messages.  I soon learned that my slowly
accumulating OpenVPN network, all based on the same
self-signed certification, was disconnected because that
certification was 3650 days old, and had timed out.

I am still repairing most of the network, but I finally got
the vital email link running.  Spam is flowing again! (1)

The ancient network was 1024 bit keys and rather
disorganized.  I used the disaster to renumber the "tun"s
and organize the network better.  I set encryption key
length to 3076 bits - and the expire dates much further
out.  I also reorganized the key creation system so I
can rebuild more quickly in case of a security breach.

The sad fact is that OpenVPN will not warn you about
upcoming certificate expirations.  10 years is quite
long enough to forget how you did it, and when you
will need to rebuild it next. 

SO:  look at your keys and certs, stored by default
in /usr/local/ssl, and see if they are due to expire.
Here's the appropriate lines from one of my old keys:
---------------------------
...
Validity
            Not Before: Feb 28 05:23:33 2006 GMT
            Not After : Feb 26 05:23:33 2016 GMT
...
---------------------------
3650 days is the default chosen by "easy-vpn", and is 
10 years minus two or three leap days.

I imagine many of you learned about openvpn the during the
same years I did.  You may come to grief soon.  The tools
and formats have changed, so it is better to learn and use
them /before/ everything goes to hell.  I made it harder
for myself because of renumbering the network, but better
organization will make this task a lot easier when I have
to do this next time, after my 90th birthday ...  :-)

Keith

(1)PS: While rebuilding postfix (very sensitive to DNS and
firewall setup), and looking at ancient mail logs for past
errors, I guestimated that I've probably filtered half a
billion spams in the last 10 years.  Oh, if I could only
collect the $300 per-spam tort penalty that the law
allegedly offers.  At Apollo program prices ($20B in 2015
dollars), at least 90 of us could walk on the moon ...

-- 
Keith Lofstrom          keithl at keithl.com



More information about the PLUG mailing list