Page 1 of 1
can't read crl.pem
Posted: Tue Jun 16, 2015 3:55 pm
by kerrycao
Hello All
since some colleagues left company, i try to revoke their certificate , below is my step.
1. revoke certificate , it is successful, because /etc/openvpn/esay-rsa/keys/index.txt indicate "R" for this certificate
2. add below line in /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
3. chmod 755 crl-verify /etc/openvpn/easy-rsa/keys
after reload openvpn configuration file, the log show below error.
cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: No such file or directory (errno=2)
Any help could be appreciate. thanks in advance
Re: can't read crl.pem
Posted: Wed Jun 17, 2015 10:20 am
by maikcat
post your config please,
if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.
Michael.
Re: can't read crl.pem
Posted: Thu Feb 16, 2017 5:14 pm
by Zuendapp
Hi Michael,
I have the same problem. Can you tell me the command to set the permission correctly? In my logfile is additionaly a error to set a route (I have defined two routes in my config).
Thank you very much!
Best regards
Re: can't read crl.pem
Posted: Thu Feb 16, 2017 7:42 pm
by TinCanTech
maikcat wrote:
post your config please,
if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.
Michael.
Please see:
HOWTO: Request Help !
Re: can't read crl.pem
Posted: Fri Feb 17, 2017 11:24 am
by Zuendapp
Hi,
sorry, my version is V2.3.4:
Config:
Code: Select all
# Server parameters
server 192.168.20.0 255.255.255.0
port 1194
proto udp
dev tun-UDP
user nobody
group nogroup
persist-key
persist-tun
#ifconfig-pool-persist ipp.txt
auth-user-pass-verify /usr/local/sbin/openvpn-auth via-file
script-security 2
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-to-client
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
max-clients 2
keepalive 10 120
# Control channel (TLS)
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-auth ta.key 0
remote-cert-tls client
tls-server
# Data channel
auth SHA512
cipher AES-256-CBC
# Compression
comp-lzo
# Logging
log /var/log/openvpn.log
verb 3
status openvpn-status.log
# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
When I delete "user nobody" "group nogroup" it work's fine.
Best regards
Re: can't read crl.pem
Posted: Fri Feb 17, 2017 12:45 pm
by TinCanTech
maikcat wrote:if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.
Michael.
Zuendapp wrote:Can you tell me the command to set the permission correctly?
See your distro documentation for file+directory permissions.
Zuendapp wrote:In my logfile is additionaly a error to set a route
Post your log file @ --
verb 4
Re: can't read crl.pem
Posted: Wed Dec 27, 2017 7:57 am
by rgould
Is there any danger to running the service as root:root?
To bypass the above nobody:nogroup restrictions, I created /REV and stuck "crl.pem" in it, recursively changed ownership of /REV to nobody:nogroup, then changed the "crl-verify" option to
. Seems to be working. I'll revert to the previous config if it's safe to run the service as root"root.
Re: can't read crl.pem
Posted: Sun Sep 17, 2023 8:11 am
by secooonder
I'm having the same problem.
I did the following operations
cd /etc/openvpn/easyrsa ;
./easyrsa gen-crl
cp crl.pem /etc/openvpn/
systemctl restart openvpn.server
When the client connected to Openvpn server , i took an error
"can't read crl.pem"
File Permission is :
-rw------- 1 root root 796 Eyl 17 08:47 crl.pem
but I don't understand how to solve it
Can you help me ?
Re: can't read crl.pem
Posted: Tue Sep 19, 2023 5:09 am
by secooonder
Hi
Plase Help me