If you have issues connecting to the VPN and you see the error:
Certificate has key usage 00a0, expects 00a0
in /var/log/openvpn-client.log
, then your certificate has probably expired.
To check its expiry date, as root
type the command:
$ openssl x509 -in /etc/openvpn/keys/user.crt -noout -enddate notAfter=Nov 12 13:42:43 2018 GMT
The displayed date after noAfter
is the expiry date.
There are four methods to renew the certificate.
The Neutrinet app takes care of checking every night whether certificates must be renewed.
You can either install the app through the admin panel, or with:
yunohost app install neutrinet
To upgrade this app:
yunohost tools update apps yunohost app upgrade neutrinet
If the Neutrinet app is already installed, you can force the certificates verification:
/opt/neutrinet/renew_cert/renew_cert.sh
Clone the following git repository, either on your cube or your own computer:
git clone https://git.domainepublic.net/Neutrinet/renew_cert
Move to the folder that just has been created:
cd renew_cert
Create a virtual python3 environment. This means that the installed python3 packages won't have any impact on the rest of the system:
python3 -m venv ve
Enable this environment:
source ve/bin/activate
Install the script dependencies:
pip install -r requirements.txt
Finally, run the script with this command:
python renew.py <Neutrinet VPN's username>
You will be asked for your password to login to the Neutrinet VPN.
Normaly, a subfolder named certs_YYYY-MM-DD_HH:MM:SS
(replace the uppercase letters with the script execution date and time ) should be created, which contains all the configuration files needed for the OpenVPN client.
The files that we need are client.crt
, client.key
, and ca.crt
, i.e. the public and private key of the client certificate, and the public key of the server certificate.
These files must replace the files in /etc/openvpn
(this may change depending of the OS).
On the cube, these files are in /etc/openvpn/keys
Remark: Before replacing one with the other, it is advisable to make a backup of the old certificate, just in case. For instance, with the following commands (still from the renew_cert
directory):
sudo mv /etc/openvpn/keys/user.crt{,.backup} sudo mv /etc/openvpn/keys/user.key{,.backup} sudo mv /etc/openvpn/keys/ca-server.crt{,.backup} sudo mv client.crt /etc/openvpn/keys/user.crt sudo mv client.key /etc/openvpn/keys/user.key sudo mv ca.crt /etc/openvpn/keys/ca-server.crt
All you need to do is to restart the OpenVPN service to check if it's still working.
Remark: Ideally, make sure to be connected on the same local network as your cube, i.e. through its local address (192.168.1.x in most cases).
sudo systemctl restart ynh-vpnclient`
You can check that everything went well by looking at the logs:
tail /var/log/openvpn-client.log /var/log/ynh-vpnclient.log
This method sometimes requires some patience because user.neutrinet.be can produce some failures.
Login with ssh to your internet cube, then go to the folder where the VPN key is located (it should be the file /etc/openvpn/keys/user.key
):
cd /etc/openvpn/keys
Create a certificate signing request (CSR) for this key:
openssl req -out client.csr -new -newkey rsa:4096 -nodes -keyout user.key
You will be asked for several questions, such as the country code (BE), the region (Bruxelles, …), the organisation, etc… to which the certificate is related.
Most important is the Cname
, that is the name which will be used by Neutrinet to know to whom belongs the certificate.
Remark: It is recommended to provide your email address for the Cname field.
This command create a file named client.csr
, which contains the certificate signing request. You can display its content with:
cat client.csr
Copy this content, then go to https://user.neutrinet.be
Login
Click on Users
Wait for the page to load, and when you see your name click on it.
Click on View associated clients
Click on your certificate (if you have more than one, use the one with an IPv4 - 80.67.181.x)
Choose the Renew certificate
option
The current certificate should appear on the screen. Click on Rekey
, then paste the content of the CSR (the file you copied earlier).
Click on the Rekey
button to confirm.
Once this operation done, you should see the following banner:
You can click on View client details
, then on Download config package
.
This will download a zip file containing the certificate files. In the directory /etc/openvpn/keys
of your cube, copy the file client.crt
to /etc/openvpn/keys/user.crt
.
That's it!