We have recently received some reports of users experiencing issues connecting to our service using OpenVPN. Upon further investigation, we found that a small portion of our users had their OpenVPN certificates set to an expiry date in 2015; some as early as July and August of 2015.
While having an expired certificate does not pose any security risk, it will however prevent one from being able to fully authenticate to our OpenVPN endpoints.
Please read on for further information about the issue and the steps that need to be taken to fix your OpenVPN setup.
For starters, how did this happen?
At some (early) point in the Tunnelr development phase, we had rolled out code that set the expiry date on newly created certificates to a date that seemed "pretty distant" in the future - 999 days from the day of registration.
The idea was that a security focused company should not be issuing certificates that last a 100 years and would instead force users to change them every once in a while. After some time though, this idea seemed pretty silly - we always had the ability to revoke certificates (if they were compromised) and we always utilized two-factor authentication. So, shortly after coming to this conclusion, we updated our code to set the expiry date to a more distant time in the future.
This brings us to now...
Only a small portion of users is affected by this issue. If you have experienced any problems connecting to OpenVPN for the past couple of days - you are likely experiencing a certificate problem. In addition to this blog post, we have also reached out to those affected by email, which also includes the necessary steps to fix this problem.
In order to reset your certificates (and effectively, update their expiration date), please follow these steps:
3. Click on "Yes, reset my certificate!"
Once this is done, you will be able to re-download your certificate bundle
and either re-import the OpenVPN configuration into your OpenVPN client of choice (or for those who are more familiar with their OpenVPN software - simply replace the old certificate, key and ca file with the new ones).
Once this has been completed, you should be able to successfully connect and authenticate to any of our OpenVPN nodes.
If you run into any problems while performing any of the above steps or require any further clarification - please feel free to open a ticket in our helpdesk