On 2025-11-15, Christopher Sean Hilton <[email protected]> wrote: > On Fri, Nov 14, 2025 at 11:29:46PM +0100, Theo Buehler wrote: >> On Fri, Nov 14, 2025 at 04:56:34PM -0500, Christopher Sean Hilton wrote: >> > On Fri, Nov 14, 2025 at 04:23:21PM -0500, Chris Hilton wrote: >> > > I have a pair of servers, both running OpenBSD 7.6 that have a shared >> > > ikev2 vpn via >> > > iked. This is working great in fact it's working better than I expect it >> > > to. I've noticed >> > > two issues: >> > > >> > > * The certificates in my VPN expired about a month ago but the VPN keeps >> > > renegotiating. I >> > > stopped iked on one side for about an hour today and after I restarted >> > > it, the VPN had no >> > > trouble restarting. >> > > >> > > * Running `ikectl ca my-vpn-ca certificate my-host create` throws an >> > > error indicating that >> > > the certificate already exists. In fact it does but the certificate >> > > that it cites is the >> > > expired one. >> > > >> > > Please forgive my question if these two issues have been addressed since >> > > OpenBSD 7.6 became >> > > stale. >> > > >> > > >> > >> > >> > To follow-up with the actual error message: >> > >> > ERROR:There is already a certificate for /C=US/ST=... >> > The matching entry has the following details >> > Type :Valid >> > Expires on :250920224627Z >> > Serial Number :04 >> > >> > Note well that when assume that the date give is seconds since 01/01/1970 >> > and I do this: >> > >> > $ date -r 250920224627 >> > Sat May 7 02:23:47 EDT 9921 >> > >> > I'm assuming that I'm missing something on the date format? >> >> UTCTime has formt YYMMDDHHMMSSZ, expired on Sep 20, 2025, at 22:46:27 UTC >> https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.5.1 > > My bad there although in my defense I'd have to say that I'm no longer used > to seeing > 2-digit year fields. Sadly, that brings up another, worse question. If the > software knows > the certificate expired 2 months ago, why won't it let me re-issue it?
ikectl ca isn't particularly sophisticated - should be ok to just move the old cert out of the way.
