can't read crl.pem

Scripts to manage certificates or generate config files
kerrycao
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 16, 2015 3:46 pm

can't read crl.pem

Postby kerrycao » Tue Jun 16, 2015 3:55 pm

Hello All

since some colleagues left company, i try to revoke their certificate , below is my step.
1. revoke certificate , it is successful, because /etc/openvpn/esay-rsa/keys/index.txt indicate "R" for this certificate

2. add below line in /etc/openvpn/server.conf

crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

3. chmod 755 crl-verify /etc/openvpn/easy-rsa/keys

after reload openvpn configuration file, the log show below error.

cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: No such file or directory (errno=2)

Any help could be appreciate. thanks in advance

User avatar
maikcat
Forum Team
Posts: 4199
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: can't read crl.pem

Postby maikcat » Wed Jun 17, 2015 10:20 am

post your config please,

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.

Zuendapp
OpenVpn Newbie
Posts: 6
Joined: Fri Mar 20, 2015 3:03 pm

Re: can't read crl.pem

Postby Zuendapp » Thu Feb 16, 2017 5:14 pm

Hi Michael,

I have the same problem. Can you tell me the command to set the permission correctly? In my logfile is additionaly a error to set a route (I have defined two routes in my config).

Thank you very much!

Best regards

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2110
Joined: Fri Jun 03, 2016 1:17 pm

Re: can't read crl.pem

Postby TinCanTech » Thu Feb 16, 2017 7:42 pm

maikcat wrote:
post your config please,

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.


Please see:
HOWTO: Request Help !

Zuendapp
OpenVpn Newbie
Posts: 6
Joined: Fri Mar 20, 2015 3:03 pm

Re: can't read crl.pem

Postby Zuendapp » Fri Feb 17, 2017 11:24 am

Hi,

sorry, my version is V2.3.4:

Config:

Code: Select all

# Server parameters
server 192.168.20.0 255.255.255.0
port 1194
proto udp
dev tun-UDP
user nobody
group nogroup
persist-key
persist-tun
#ifconfig-pool-persist ipp.txt
auth-user-pass-verify /usr/local/sbin/openvpn-auth via-file
script-security 2
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-to-client
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
max-clients 2
keepalive 10 120

# Control channel (TLS)
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-auth ta.key 0
remote-cert-tls client
tls-server

# Data channel
auth SHA512
cipher AES-256-CBC

# Compression
comp-lzo

# Logging
log /var/log/openvpn.log
verb 3
status openvpn-status.log

# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem


When I delete "user nobody" "group nogroup" it work's fine.

Best regards

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2110
Joined: Fri Jun 03, 2016 1:17 pm

Re: can't read crl.pem

Postby TinCanTech » Fri Feb 17, 2017 12:45 pm

maikcat wrote:if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.
Zuendapp wrote:Can you tell me the command to set the permission correctly?
See your distro documentation for file+directory permissions.

Zuendapp wrote:In my logfile is additionaly a error to set a route
Post your log file @ --verb 4


Return to “Cert / Config management”

Who is online

Users browsing this forum: No registered users and 1 guest