Solved: Cant renew expiring certificate

Wayne_Hammond · ‎2025-01-02

Hi,

My VPN certificate on R81.20 Gateway expires soon and I went through the usual process of deleting the existing and creating a new one, however today I got hit with this message

I have not seen this before and cant find anyway round it. Found a similar post about using GuiDBedit, but that didnt work.

Any help greatly appreciated

Happy New Year

Wayne

AkosBakos · ‎2025-01-02

Maybe it is time to open a TAC case.

----------------
\m/_(>_<)_\m/

View solution in original post

Wayne_Hammond · ‎2025-01-15

Fixed it.

First took snapshot of SM VM (in case I bust it)

Used GuiDBedit and found entry for VPN refence in the FW object

Deleted it

Saved changes

Said a prayer

Opened Smart Console

VPN reference gone

Pushed policy for good measure

Still gone

Case closed

Thanks for all your help guys !!

View solution in original post

PhoneBoy · ‎2025-01-24

Depending on the JHF level, you might need to reboot for the change to take effect as I believe this is a known issue.

View solution in original post

Wayne_Hammond · ‎2025-01-25

I tried a CPSTOP and CPSTART and that did the trick.

Thanks

View solution in original post

Lesley · ‎2025-01-02

I never delete and always use renew, have you tried that?

So instead of delete either add or renew?

You try it now to renew it under IPSec VPN correct?

-------
If you like this post please give a thumbs up(kudo)! 🙂

Wayne_Hammond · ‎2025-01-02

Hi Lesley,

The renew option has never been available for certs generated by external CA (i assumed this was the case)

I cannot renew and if i try ADD i cant use the same CN details

Cheers

Wayne

Lesley · ‎2025-01-02

Ah not self-signed.

What if you create a temp self signed cert and attach that, after that try to remove the old one.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Wayne_Hammond · ‎2025-01-02

Still no go

AkosBakos · ‎2025-01-02

Hi @Wayne_Hammond

Can you share a little bit larger screenshot? In which menu did you get this message?

Whan you changed this cert last time, this cert was used in clientless VPN too?

Akos

----------------
\m/_(>_<)_\m/

Wayne_Hammond · ‎2025-01-02

Hi Akos,

My larger images seem to get removed. I always do this under IPSecVPN and have never configured Clientless VPN

Cheers

Wayne

AkosBakos · ‎2025-01-02

To clarify this, so here:

You add the new one, then can't remove the old one?

----------------
\m/_(>_<)_\m/

Wayne_Hammond · ‎2025-01-02

Correct, at the moment I have a cert installed from an EXT CA

When i try to remove (as renew greyed out), the error message appears

I have never seen this before

Thanks

AkosBakos · ‎2025-01-02

I had a try, I wanted to delete the cert which was issued by ICA

I got this error:

Maybe helps.

A

----------------
\m/_(>_<)_\m/

the_rock · ‎2025-01-02

Weird, just tried in my lab and though its part of 3 commuities, does not give that error.

Andy

Lesley · ‎2025-01-02

Make sure that if you have the temp cert active the old one is not configured in a different place.

Did you checked all the menu options in the firewall object itself? Like under VPN clients.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Wayne_Hammond · ‎2025-01-02

Hi Lesley,

Yes, i cannot see it selected anywhere else

Lesley · ‎2025-01-02

I think we need some screenshots. Sometimes a feature is disabled and you need to enable it in order for renewal.

-------
If you like this post please give a thumbs up(kudo)! 🙂

AkosBakos · ‎2025-01-02

We haven't talk about the version. What is current version?

I found this sk, but it is not relevant, R80.20 is not supported, and the error message is totally different.

https://support.checkpoint.com/results/sk/sk108064

Akos

----------------
\m/_(>_<)_\m/

Wayne_Hammond · ‎2025-01-02

Saw that, but it did nothing

Thanks

AkosBakos · ‎2025-01-02

Maybe it is time to open a TAC case.

----------------
\m/_(>_<)_\m/

Wayne_Hammond · ‎2025-01-02

Yes time for TAC

AkosBakos · ‎2025-01-02

Please keep us updated. 🙂

----------------
\m/_(>_<)_\m/

the_rock · ‎2025-01-02

I believe what its telling you to do is remove any references of that certificate currently, install policy and then delete option would work.

Andy

Wayne_Hammond · ‎2025-01-05

yes, I am pretty sure all refences have been removed.

Waiting for TAC

Cheers all !!

Wayne_Hammond · ‎2025-01-15

Fixed it.

First took snapshot of SM VM (in case I bust it)

Used GuiDBedit and found entry for VPN refence in the FW object

Deleted it

Saved changes

Said a prayer

Opened Smart Console

VPN reference gone

Pushed policy for good measure

Still gone

Case closed

Thanks for all your help guys !!

the_rock · ‎2025-01-15

Great!

AkosBakos · ‎2025-01-15

Thanks to share with us!

----------------
\m/_(>_<)_\m/

Wayne_Hammond · ‎2025-01-24

Hi Guys,

I seem to have now developed another issue, similare to post https://community.checkpoint.com/t5/Remote-Access-VPN/Remove-Access-VPN-Gateway-presenting-wrong-cer...

With the faulty Ext CA gone, I got a new one and it all installed ok, however when I inspect the SSL cert the FW presents the default one and not the Ext CA.

Very weird

Any ideas?

Thanks

Wayne

PhoneBoy · ‎2025-01-24

Depending on the JHF level, you might need to reboot for the change to take effect as I believe this is a known issue.

Wayne_Hammond · ‎2025-01-25

I tried a CPSTOP and CPSTART and that did the trick.

Thanks

PhoneBoy · ‎2025-01-27

That should work also.

Are you a member of CheckMates?

Cant renew expiring certificate