Renew passhportd TLS certificate


If you installed PaSSHport a year from now, you may encounter this message when you try to connect :

# ssh
No such user in PaSSHport database.
tip: it can be a SSL certificate misconfiguration.
Connection to closed

This usually means that passhport (the script) can't connect to passhportd, and the most common cause is that the TLS certificate generated on installation is outdated.

passhport@passhport-srv:~$ openssl x509 -in /home/passhport/certs/cert.pem -noout -text | grep Validity -A 2
          Not Before: Sep 11 10:48:55 2020 GMT
          Not After : Sep 11 10:48:55 2021 GMT

As you can see above, the cert is only generated for a year. It has been created on PaSSHport automated installation.

Renew certificate with OpenSSL

To renew the certificate, use the openssl command, as follow :

root@passhport:~# openssl req -new -key "/home/passhport/certs/key.pem" \
-config "/home/passhport/passhport/tools/openssl-for-passhportd.cnf" \
-out "/home/passhport/certs/cert.pem" \
-subj "/C=FR/ST=Ile De France/L=Ivry sur Seine/O=LibrIT/OU=DSI/" \
-x509 \
-days 365 \
-sha256 \
-extensions v3_req

This will generate a self-signed certificate, like the one generated during the installation. It will be valid for 1 year. Change the values to your needs.

Restart passhportd

You now just need to restart passhportd :

root@passhport:~# systemctl restart passhportd.service

You should now be able to use PaSSHport again.