[Solved] Regenerate expired crl?

Scripts to manage certificates or generate config files
gradinaruvasile
OpenVpn Newbie
Posts: 2
Joined: Sat Jan 07, 2017 10:55 pm

[Solved] Regenerate expired crl?

Postby gradinaruvasile » Sat Jan 07, 2017 11:09 pm

I have 2 openvpn servers running on my home rig (Debian testing distro). After the upgrade from openvpn 2.3 to 2.4 i observed that my clients cannot connect to either of those servers.

Excerpt from server log (removed IP addresses and other personal info):

Code: Select all

Mon Jan  2 07:37:10 2017 us=426660 1.2.3.4:36241 TLS: Initial packet from [AF_INET]1.2.3.4:36241, sid=66129e86 1e790a7e
Mon Jan  2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, emailAddress=my@email
Mon Jan  2 07:37:10 2017 us=466182 1.2.3.4:36241 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Jan  2 07:37:10 2017 us=466201 1.2.3.4:36241 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jan  2 07:37:10 2017 us=466215 1.2.3.4:36241 TLS Error: TLS object -> incoming plaintext read error
Mon Jan  2 07:37:10 2017 us=466228 1.2.3.4:36241 TLS Error: TLS handshake failed
Mon Jan  2 07:37:10 2017 us=466290 1.2.3.4:36241 SIGUSR1[soft,tls-error] received, client-instance restarting

I filed a bug in the Debian bug tracker here and they said i should regenerate the CRL because it expired.

OpenVPN 2.4 no longer accepts CRLs who's nextUpdate field lies in the
past.

How can i do that knowing that i have a few already revoked certificates and i would like to keep them that way? And how can i control the nextupdate field?
Thanks.

mwandelaar
OpenVPN Expert
Posts: 219
Joined: Mon Nov 23, 2009 8:24 pm

Re: Regenerate expired crl?

Postby mwandelaar » Sun Jan 08, 2017 12:36 pm

How do you manage your PKI? With EasyRSA? Plain openssl?
Every tool gives you the option to generate a new CRL. And as a specific cert is allready revoked, it stays revoked in a new CRL.

gradinaruvasile
OpenVpn Newbie
Posts: 2
Joined: Sat Jan 07, 2017 10:55 pm

Re: Regenerate expired crl?

Postby gradinaruvasile » Tue Jan 10, 2017 6:21 pm

Ok, managed to do it. Thanks for the info.
I used openssl for PKI management.

I modified the following lines in openssl.cnf to look like this:

Code: Select all

default_days   = 3650         # how long to certify for
default_crl_days= 3650         # how long before next CRL

Then regenerated the CRL:

Code: Select all

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

Now with openvpn 2.4 the clients are connecting fine.


Return to “Cert / Config management”

Who is online

Users browsing this forum: No registered users and 2 guests