Hi @dtischler,
thank you for the input. That put me on the right track. I think, to renew all certs with the quickstart script possible create a new root ca. But I only need a new server cert. But maybe your are right and this way works as well.
I choose a different way and manually create a new server certificat with following steps.
- Renamed the following old files in the
config/certs/vpnfolder.
issued/vpn.balena.iet.mw.tu-dresden.crtprivate/vpn.balena.iet.mw.tu-dresden.keyreqs/vpn.balena.iet.mw.tu-dresden.reqindex.txt
- Download easy-rsa to a temporary folder and extract it with following command:
curl -sL https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz | tar xz --strip-components=1
- Recreate the servcer certificat with key with this command:
./easyrsa/easyrsa --pki-dir="./vpn" --days=730 build-server-full "vpn.<server-domain>" nopass
- Convert with this command the cert- and the key-file to an base64 string and replace the values of the keys
OPENBALENA_VPN_SERVER_CRTandOPENBALENA_VPN_SERVER_KEY.
echo "$(cat ./vpn/issued/vpn.<server-domain>.crt)" | base64 --wrap=0 2>/dev/nullecho "$(cat ./vpn/private/vpn.<server-domain>.key)" | base64 --wrap=0 2>/dev/null
- Recreate the VPN Container.
./scripts/compose up -d --force-recreate --no-deps
This steps worked for me and the client connect after a short time and marked as online in the device list.