[PLUG] Check your OpenVPN certification expire dates
Louis Kowolowski
louisk at cryptomonkeys.org
Mon Feb 29 22:47:14 UTC 2016
There are service checks for things like nagios that will alert you on an upcoming expiration of ssl certs for many services. I believe it may also offer the ability to check a file.
> On Feb 28, 2016, at 6:06 PM, Keith Lofstrom <keithl at kl-ic.com> wrote:
>
> Check the expire dates on your openvpn encryption keys
> and certifications!
>
> Friday morning, anticipating an important email that was
> worth $600 to answer ... I instead I saw a string of
> mail failure messages. I soon learned that my slowly
> accumulating OpenVPN network, all based on the same
> self-signed certification, was disconnected because that
> certification was 3650 days old, and had timed out.
>
> I am still repairing most of the network, but I finally got
> the vital email link running. Spam is flowing again! (1)
>
> The ancient network was 1024 bit keys and rather
> disorganized. I used the disaster to renumber the "tun"s
> and organize the network better. I set encryption key
> length to 3076 bits - and the expire dates much further
> out. I also reorganized the key creation system so I
> can rebuild more quickly in case of a security breach.
>
> The sad fact is that OpenVPN will not warn you about
> upcoming certificate expirations. 10 years is quite
> long enough to forget how you did it, and when you
> will need to rebuild it next.
>
> SO: look at your keys and certs, stored by default
> in /usr/local/ssl, and see if they are due to expire.
> Here's the appropriate lines from one of my old keys:
> ---------------------------
> ...
> Validity
> Not Before: Feb 28 05:23:33 2006 GMT
> Not After : Feb 26 05:23:33 2016 GMT
> ...
> ---------------------------
> 3650 days is the default chosen by "easy-vpn", and is
> 10 years minus two or three leap days.
>
> I imagine many of you learned about openvpn the during the
> same years I did. You may come to grief soon. The tools
> and formats have changed, so it is better to learn and use
> them /before/ everything goes to hell. I made it harder
> for myself because of renumbering the network, but better
> organization will make this task a lot easier when I have
> to do this next time, after my 90th birthday ... :-)
>
> Keith
>
> (1)PS: While rebuilding postfix (very sensitive to DNS and
> firewall setup), and looking at ancient mail logs for past
> errors, I guestimated that I've probably filtered half a
> billion spams in the last 10 years. Oh, if I could only
> collect the $300 per-spam tort penalty that the law
> allegedly offers. At Apollo program prices ($20B in 2015
> dollars), at least 90 of us could walk on the moon ...
>
> --
> Keith Lofstrom keithl at keithl.com
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
--
Louis Kowolowski louisk at cryptomonkeys.org
Cryptomonkeys: http://www.cryptomonkeys.com/
Making life more interesting for people since 1977
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20160229/90598270/attachment.asc>
More information about the PLUG
mailing list