Reset-ssl-cert is not working

Pritunl Pritunl VPN
1

Our Let’s Encrypt certificate expired and we could not connect to the WebUI via Chrome or Firefox (Luckily, there are still browsers that can).

We tried running pritunl reset-ssl-cert and received the “Server ssl certificate successfully reset” message but now the webUI isn’t even running. Not sure what steps to take next

Adding some detail: The first time I ran reset-ssl-cert the following appeared in the log:

[evening-thunder-9118][2022-12-12 08:59:32,707][INFO] Settings changed, restarting server…
ssl_changed = false
cert_changed = true
key_changed = true
port_changed = false
redirect_server_changed = false
reverse_proxy_changed = false
[evening-thunder-9118][2022-12-12 08:59:33,318][INFO] Server restarting…
[evening-thunder-9118][2022-12-12 08:59:33,368][INFO] Starting server
selinux_context = “none”
[evening-thunder-9118][2022-12-12 08:59:33,368][INFO] Generating server certificate…
[evening-thunder-9118][2022-12-12 08:59:33,432][ERROR] Popen returned error exit code
cmd = [“openssl”, “ecparam”, “-name”, “secp384r1”, “-genkey”, “-noout”, “-out”, “/tmp/pritunl_45a70cb6026e4b98b523fd1111b27402/server.key”]
return_code = 1

And then the /tmp/pritunl_45a70cb6026e4b98b523fd1111b27402 folder disappeared

2

Chrome will block access if the domain name is used, you will need to enter the IP address of the domain into the address bar. If the server is accessed with an IP address Chrome will allow accessing the server with an invalid certificate.

3

Thanks for the reply, Zach.

However, as I mentioned, after we ran the reset-ssl-cert the webUI crashed. We had to wait until after hours to restart it.

Still, reset-ssl-cert did not work. It generated a bad certificate. We had to copy the server.crt and server.key from a test server, which is using the default certificate, and then restart pritunl to get it working again

4

It will generate a self signed certificate which requires bypassing the certificate error in Chrome. This may also require accessing the server using the IP address instead of the domain name.