On Fri, Nov 14, 2025 at 04:23:21PM -0500, Chris Hilton wrote:
> I have a pair of servers, both running OpenBSD 7.6 that have a shared ikev2
> vpn via
> iked. This is working great in fact it's working better than I expect it to.
> I've noticed
> two issues:
>
> * The certificates in my VPN expired about a month ago but the VPN keeps
> renegotiating. I
> stopped iked on one side for about an hour today and after I restarted it,
> the VPN had no
> trouble restarting.
>
> * Running `ikectl ca my-vpn-ca certificate my-host create` throws an error
> indicating that
> the certificate already exists. In fact it does but the certificate that it
> cites is the
> expired one.
>
> Please forgive my question if these two issues have been addressed since
> OpenBSD 7.6 became
> stale.
>
>
To follow-up with the actual error message:
ERROR:There is already a certificate for /C=US/ST=...
The matching entry has the following details
Type :Valid
Expires on :250920224627Z
Serial Number :04
Note well that when assume that the date give is seconds since 01/01/1970 and I
do this:
$ date -r 250920224627
Sat May 7 02:23:47 EDT 9921
I'm assuming that I'm missing something on the date format?
> Thanks
> --
> Chris
>
> __o "All I was trying to do was get home from work."
> _`\<,_ -Rosa Parks
> ___(*)/_(*)____.___o____..___..o...________ooO..._____________________
> Christopher Sean Hilton [chris/at/vindaloo/dot/com]
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
