无法连接,因为您的证书尚未生效。请检查您的系统时间是否正确

tag-icon tag-icon centos openvpn
无法连接,因为您的证书尚未生效。请检查您的系统时间是否正确

我不知道我做错了什么。我的时间是正确的,我甚至从微软更新了它。

客户端配置:

tls-client
client
dev tun
proto udp
remote xx.xxx.xxx.xxx 80
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
comp-lzo
verb 3
reneg-sec 0
route-method exe
route-delay 2
ca ca.crt
auth-user-pass

服务器配置:

local xx.xxx.xxx.xxx
port 80
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.0.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
persist-key
persist-tun
#status /etc/openvpn/logs/serverstatus-tcp.log
#log /etc/openvpn/logs/serverlog-tcp.log 
verb 3
float
duplicate-cn
#Limit server to a maximum of n concurrent clients.
max-clients 15
keepalive 20 300

证书

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=PH, ST=Benguet, L=Baguio City, O=company, OU=section, CN=skyflakes/name=none/emailAddress=none
        Validity
            Not Before: Aug  8 09:08:14 2011 GMT
            Not After : Aug  5 09:08:14 2021 GMT
        Subject: C=PH, ST=Benguet, L=Baguio City, O=company, OU=section, CN=server/name=none/emailAddress=none
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cc:da:98:30:45:5b:45:1b:fb:19:dc:60:8a:07:
                    c1:f3:cd:0c:83:e2:a3:79:7a:5d:94:75:c9:7b:25:
                    30:36:c3:d9:51:f5:96:da:78:cf:d9:07:45:48:a6:
                    73:28:72:c4:bd:55:18:58:3e:f1:d4:a5:c3:1c:9b:
                    1c:22:c6:20:5e:c1:bb:14:d3:aa:f0:54:82:37:f6:
                    a1:47:75:75:a6:b4:a8:a7:d2:48:b8:f2:a0:ae:d0:
                    5d:1a:56:db:5e:b1:08:d9:d3:df:d5:56:ac:0b:0e:
                    39:0a:0c:6e:40:51:08:5e:c0:ae:32:85:a9:24:8f:
                    85:09:ff:72:16:26:e0:7e:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                Easy-RSA Generated Server Certificate
            X509v3 Subject Key Identifier:
                17:33:2D:C1:E5:F9:D0:AB:14:26:19:E5:C8:DC:BA:8E:D6:2C:81:01
            X509v3 Authority Key Identifier:
                keyid:AA:67:18:6E:E4:40:97:79:FC:52:78:ED:D1:30:C4:91:87:DC:24:58
                DirName:/C=PH/ST=Benguet/L=Baguio City/O=company/OU=section/CN=skyflakes/name=none/emailAddress=none
                serial:8E:66:F7:71:7B:7C:8E:78

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: sha1WithRSAEncryption
        7e:cb:b2:73:3a:16:50:1a:88:e3:ad:e3:07:89:03:03:7b:42:
        0f:67:52:29:67:31:c1:18:aa:70:5a:bc:cf:4a:40:4b:41:c2:
        1b:08:cc:03:a5:70:ac:2b:bd:86:fb:c0:ec:99:eb:fb:cc:fc:
        99:e4:ea:a2:c0:59:66:a0:c6:22:4e:3e:43:20:87:e2:4e:48:
        d9:f4:9b:8e:f1:4b:e1:f0:7d:55:d6:85:ad:d1:70:7d:59:42:
        58:d4:21:22:9b:51:09:bb:e0:e8:05:75:1a:4c:a9:1d:a3:57:
        fd:77:57:70:5b:4c:36:4f:99:73:c8:4d:eb:d3:5b:d1:38:ca:
        b0:d8
-----BEGIN CERTIFICATE-----
MIIEVTCCA76gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrzELMAkGA1UEBhMCUEgx
EDAOBgNVBAgTB0Jlbmd1ZXQxFDASBgNVBAcTC0JhZ3VpbyBDaXR5MRAwDgYDVQQK
Ewdjb21wYW55MRAwDgYDVQQLEwdzZWN0aW9uMRIwEAYDVQQDEwlza3lmbGFrZXMx
GTAXBgNVBCkTEEpvaG4gQ3lydXMgRGF2aWQxJTAjBgkqhkiG9w0BCQEWFmFwYXRo
ZXRpYzAxMkBnbWFpbC5jb20wHhcNMTEwODA4MDkwODE0WhcNMjEwODA1MDkwODE0
WjCBrDELMAkGA1UEBhMCUEgxEDAOBgNVBAgTB0Jlbmd1ZXQxFDASBgNVBAcTC0Jh
Z3VpbyBDaXR5MRAwDgYDVQQKEwdjb21wYW55MRAwDgYDVQQLEwdzZWN0aW9uMQ8w
DQYDVQQDEwZzZXJ2ZXIxGTAXBgNVBCkTEEpvaG4gQ3lydXMgRGF2aWQxJTAjBgkq
hkiG9w0BCQEWFmFwYXRoZXRpYzAxMkBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMzamDBFW0Ub+xncYIoHwfPNDIPio3l6XZR1yXslMDbD2VH1
ltp4z9kHRUimcyhyxL1VGFg+8dSlwxybHCLGIF7BuxTTqvBUgjf2oUd1daa0qKfS
SLjyoK7QXRpW216xCNnT39VWrAsOOQoMbkBRCF7ArjKFqSSPhQn/chYm4H7LAgMB
AAGjggGAMIIBfDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgB
hvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUFzMtweX50KsUJhnlyNy6jtYsgQEwgeQGA1UdIwSB3DCB2YAUqmcY
buRAl3n8Unjt0TDEkYfcJFihgbWkgbIwga8xCzAJBgNVBAYTAlBIMRAwDgYDVQQI
EwdCZW5ndWV0MRQwEgYDVQQHEwtCYWd1aW8gQ2l0eTEQMA4GA1UEChMHY29tcGFu
eTEQMA4GA1UECxMHc2VjdGlvbjESMBAGA1UEAxMJc2t5Zmxha2VzMRkwFwYDVQQp
ExBKb2huIEN5cnVzIERhdmlkMSUwIwYJKoZIhvcNAQkBFhZhcGF0aGV0aWMwMTJA
Z21haWwuY29tggkAjmb3cXt8jngwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0P
BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAH7LsnM6FlAaiOOt4weJAwN7Qg9nUiln
McEYqnBavM9KQEtBwhsIzAOlcKwrvYb7wOyZ6/vM/Jnk6qLAWWagxiJOPkMgh+JO
SNn0m47xS+HwfVXWha3RcH1ZQljUISKbUQm74OgFdRpMqR2jV/13V3BbTDZPmXPI
TevTW9E4yrDY
-----END CERTIFICATE-----

答案1

我在 2011 年 8 月 8 日 09:39BST 读到您的问题,也就是 2011 年 8 月 8 日 08:39GMT,上面说您是在 9 小时前写的这个问题。该证书说其有效性为“不早于:2011 年 8 月 8 日 09:08:14 GMT”,所以它还要 29 分钟才会生效,而您写问题时它还未生效。等半个小时再试一次;每个人的时钟都正确,错误信息的意思可能和它说的完全一样!

答案2

我也遇到过这个问题...检查并更新客户端和服务器上的日期/时间。就我而言,创建证书时服务器时钟并不正确。您可以等到证书生效——或者——更正服务器上的时钟(日期和时间),然后删除旧证书并重新颁发所有证书。

答案3

即使时间显示正确,也要验证时区是否正确。我以前也遇到过这个问题(虽然不是在使用 NTP 时),如果你有时间源,纠正起来相当容易。在 Ubuntu 上,用于更改系统范围时区的工具是 tzselect,你可以使用 TZ 环境变量在短期或个人基础上编辑显示时区。

显示当前时区:date +%Z

系统时区:cat /etc/timezone

相关内容