-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

------- Original Message -------
On Wednesday, March 8th, 2023 at 20:07, Bo Berglund <bo.bergl...@gmail.com> 
wrote:


> This happens on an updated easyrsa3 installation (see other thread for 
> details).
> 
> --------------------------------------------
> (previously existing client)
> $ easyrsa show-cert BrittisUbu
> 
> Showing cert details for: 'BrittisUbu'
> 
> This file is stored at:
> * /home/bosse/openvpn/easyrsa3/pki/issued/BrittisUbu.crt
> Certificate:
> Data:
> <snip>
> 
> X509v3 Extended Key Usage:
> TLS Web Client Authentication
> X509v3 Key Usage:
> Digital Signature
> X509v3 Subject Alternative Name:
> DNS:BrittisUbu
> -------------------------------------------
> 
> But when I try this I receive an error:
> 
> $ easyrsa show-expire BrittisUbu
> 
> * Using Easy-RSA configuration: /home/bosse/openvpn/easyrsa3/pki/vars
> 
> * Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
> 
> 
> WARNING
> =======
> Untrapped error detected!
> --------------------------------------------
> 
> Next when I try with a client created after the update (no password on this):
> 
> $ easyrsa show-expire TestClientNP
> 
> * Using Easy-RSA configuration: /home/bosse/openvpn/easyrsa3/pki/vars
> 
> * Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
> --------------------------------------------
> 
> And when I try with a new client with a password:
> 
> $ easyrsa show-expire TestClientPW
> 
> * Using Easy-RSA configuration: /home/bosse/openvpn/easyrsa3/pki/vars
> 
> * Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
> 
> 
> WARNING
> =======
> Untrapped error detected!
> --------------------------------------------
> 
> Using easyrsa show-cert ClientName does show the cert (see start of post)
> 
> If I use this directly it correctly shows the expiration dates for all certs:
> 
> openssl x509 -dates -noout -in $CERT
> 
> (when $CERT is any of the above)
> 
> (Must be executed inside the directory holding the crt files i.e. pki/issued)
> 
> What have I missed now?
> I thought it would show when the cert is due to expire, but maybe not?
> 

Ok.

For the use of show-expire there is a cut-off number of days. --days=90
If you set --days to exceed when the cert will expire, eg --days=7301, then
it should list the expire date, at least it does for me.
This is a legacy method, related to "valid renewal period", it can be
improved.

As for the "untrapped error", stumped, I will try some tests.

Thanks
R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAnBQJkCPKvCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAADXSQgAyTBvZ4NY1gGfHrl8SjwNgBP3BMBl2FPKFNMfRn1DdH3w4qYS
H6WLTH4djfmFfRbWV3DxwqZUMnI1AN5dKUwKK40RTJo1Uuy+qwlrlqwUKG3x
TH/+rQRIoc/sHJ2+8Ex/u1bVnTHaDVNS6hlMRQFJLXlmf6cq2GEEwPrMVyib
IZiYA88GVliS/eitsA28ctoahJrQNNUmBq/+9VLxeZ1iadPrBko0t7uKvdvs
bFIviNAVjuW0naWb0LLhQeQUuo9zsG3gF2Enz7fJW52v5GXaLXEIhXCGcplP
k+avtZHndExA26D5Gi6VMKRxmiGZd2RWunMzSzp9Aok5cIWK5jGfvQ==
=TgfI
-----END PGP SIGNATURE-----

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to