User Tools

Site Tools

Trace:
en:vpn:renew-cert

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:vpn:renew-cert [2020/01/04 16:45] hgoen:vpn:renew-cert [2024/06/19 08:33] (current) – [1. Neutrinet app] hgo
Line 7: Line 7:
 in `/var/log/openvpn-client.log`, then your certificate has probably expired. in `/var/log/openvpn-client.log`, then your certificate has probably expired.
  
-To check its expiry date, as `root`:+To check its expiry date, as `root` type the command:
 ```sh ```sh
-$ openssl x509 -in /etc/openvpn/keys/user.crt -notext -enddate+$ openssl x509 -in /etc/openvpn/keys/user.crt -noout -enddate
 notAfter=Nov 12 13:42:43 2018 GMT notAfter=Nov 12 13:42:43 2018 GMT
 ``` ```
Line 15: Line 15:
  
 There are four methods to renew the certificate. There are four methods to renew the certificate.
 +## 1. Neutrinet app
  
-## Neutrinet app +The [[https://apps.yunohost.org/app/neutrinet|Neutrinet app]] takes care of checking every night whether certificates must be renewed.
- +
-The [[en:cube:apps-neutrinet|Neutrinet app]] takes care of checking every night whether certificates must be renewed.+
  
 ### Install ### Install
  
-Check that the Neutrinet's applications list is installed: +You can either install the app through the admin panel, or with:
-```sh +
-yunohost app listlists +
-``` +
- +
-If the `neutrinet` list doesn't show up, install it with: +
-```sh +
-yunohost app fetchlist -n neutrinet -u https://neutrinet.be/apps.json +
-``` +
- +
-Then, you can eithr install the app through the admin panel, or with:+
 ```sh ```sh
 yunohost app install neutrinet yunohost app install neutrinet
Line 41: Line 30:
 To upgrade this app: To upgrade this app:
 ```sh ```sh
-yunohost tools update --apps +yunohost tools update apps 
-yunohost tools upgrade --apps neutrinet+yunohost app upgrade neutrinet
 ``` ```
  
-## From a cube+## 2. From a cube
  
 If the Neutrinet app is already installed, you can force the certificates verification: If the Neutrinet app is already installed, you can force the certificates verification:
 ```sh ```sh
-cd /opt/neutrinet/renew_cert +/opt/neutrinet/renew_cert/renew_cert.sh
-./renew_cert_cron.sh -v+
 ``` ```
  
-## From the renew_cert script+## 3. From the renew_cert script
  
 Clone the following git repository, either on your cube or your own computer: Clone the following git repository, either on your cube or your own computer:
Line 89: Line 77:
 Normaly, a subfolder named `certs_YYYY-MM-DD_HH:MM:SS` (replace the uppercase letters with the script execution date and time ) should be created, which contains all the configuration files needed for the OpenVPN client. Normaly, a subfolder named `certs_YYYY-MM-DD_HH:MM:SS` (replace the uppercase letters with the script execution date and time ) should be created, which contains all the configuration files needed for the OpenVPN client.
  
-The files that we need are `client.crt` and `client.key`, i.e. the public and private key of the certificate.+The files that we need are `client.crt``client.key`, and `ca.crt`, i.e. the public and private key of the client certificate, and the public key of the server certificate.
  
 These files must replace the files in `/etc/openvpn` (this may change depending of the OS). These files must replace the files in `/etc/openvpn` (this may change depending of the OS).
Line 98: Line 86:
 sudo mv /etc/openvpn/keys/user.crt{,.backup} sudo mv /etc/openvpn/keys/user.crt{,.backup}
 sudo mv /etc/openvpn/keys/user.key{,.backup} sudo mv /etc/openvpn/keys/user.key{,.backup}
 +sudo mv /etc/openvpn/keys/ca-server.crt{,.backup}
 sudo mv client.crt /etc/openvpn/keys/user.crt sudo mv client.crt /etc/openvpn/keys/user.crt
 sudo mv client.key /etc/openvpn/keys/user.key sudo mv client.key /etc/openvpn/keys/user.key
 +sudo mv ca.crt /etc/openvpn/keys/ca-server.crt
 ``` ```
  
Line 106: Line 96:
 **Remark**: Ideally, make sure to be connected on the same local network as your cube, i.e. through its local address (192.168.1.x in most cases). **Remark**: Ideally, make sure to be connected on the same local network as your cube, i.e. through its local address (192.168.1.x in most cases).
 ```sh ```sh
-sudo systemctl restart openvpn`+sudo systemctl restart ynh-vpnclient`
 ``` ```
  
-To check that you are connected to the VPN, you can run the following command+You can check that everything went well by looking at the logs
-```sh +``` 
-ip addr+tail /var/log/openvpn-client.log /var/log/ynh-vpnclient.log
 ``` ```
  
-Normaly, the `tun0` interface should appear in the list. +## 4. From user.neutrinet.be
- +
-## From user.neutrinet.be+
  
 This method sometimes requires some patience because user.neutrinet.be can produce some failures. This method sometimes requires some patience because user.neutrinet.be can produce some failures.
Line 127: Line 115:
 Create a certificate signing request (CSR) for this key: Create a certificate signing request (CSR) for this key:
 ```sh ```sh
-openssl req -new -newkey rsa:4096 -nodes -keyout user.key+openssl req -out client.csr -new -newkey rsa:4096 -nodes -keyout user.key
 ``` ```
  
Line 133: Line 121:
 Most important is the `Cname`, that is the name which will be used by Neutrinet to know to whom belongs the certificate. Most important is the `Cname`, that is the name which will be used by Neutrinet to know to whom belongs the certificate.
  
-**Remark**: It is recommanded to provide your email address for the Cname field.+**Remark**: It is recommended to provide your email address for the Cname field.
  
 This command create a file named `client.csr`, which contains the certificate signing request. You can display its content with: This command create a file named `client.csr`, which contains the certificate signing request. You can display its content with:
en/vpn/renew-cert.1578152705.txt.gz · Last modified: 2020/01/04 16:45 by hgo