2

I have systems that sometimes lose time drastically due to low RTC battery voltage such that the system time lies outside these boundaries (/etc/openvpn/certificate):

Not Before: Jun 18 16:40:18 2012 GMT
Not After : Jun 16 16:40:18 2023 GMT

I would still like to have these systems connect to the VPN, so I don't get messages like:

Feb 6 13:50:58 hostname ovpn-client[2217]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=ZA/ST=GA/L=Johannesburg/O=Embedded_IQ/CN=Embedded_IQ_CA/[email protected]

I can avoid this problem by simply correcting the datetime on these systems, but it's not always feasible... these are remote systems.

tshepang
  • 64,472
  • 86
  • 223
  • 290
  • 1
    Why don't you just set up an [ntp](http://en.wikipedia.org/wiki/Network_Time_Protocol) client? – goldilocks Feb 17 '14 at 16:15
  • I do have it set up, but when datetime is too far off, [ntpd refuses to correct it](http://unix.stackexchange.com/q/52002). – tshepang Feb 17 '14 at 16:17
  • 1
    run `ntpdate` every now and then (rather than `ntpd`), it will correct even big errors. – umläute Feb 17 '14 at 16:18
  • You could set up a little `init` script that sets the date to a reasonable fixed minimum (say, February 17, 2013) if it is set to anything older. Then `ntp` synchronization etc. can take over. – alexis Feb 17 '14 at 16:19
  • @umläute Use `ntpd -g` to allow the first adjustment to be Big. – kev May 23 '15 at 16:05

1 Answers1

5

You could simply synchronize the time using ntp right before your are starting the connection, e.g. by using a little script to connect to the VPN:

#!/bin/sh
ntpdate ntp.example.com
openvpn --config myvpn.conf
tshepang
  • 64,472
  • 86
  • 223
  • 290
umläute
  • 6,300
  • 1
  • 24
  • 48
  • I set system time using gpsd. These systems are placed on vehicles, so they won't always have a nice view of the sky. – tshepang Feb 17 '14 at 16:29
  • but in order to connect to the VPN, they have to see the vpn-server...so you could even run an ntp-server on the vpn-server.... – umläute Feb 17 '14 at 16:31
  • The connection to the VPN server does not need to be that reliable, but the system time needs to be. – tshepang Feb 18 '14 at 09:31