[Solved] Regenerate expired crl?
Posted: Sat Jan 07, 2017 11:09 pm
I have 2 openvpn servers running on my home rig (Debian testing distro). After the upgrade from openvpn 2.3 to 2.4 i observed that my clients cannot connect to either of those servers.
Excerpt from server log (removed IP addresses and other personal info):
I filed a bug in the Debian bug tracker here and they said i should regenerate the CRL because it expired.
Thanks.
Excerpt from server log (removed IP addresses and other personal info):
Code: Select all
Mon Jan 2 07:37:10 2017 us=426660 1.2.3.4:36241 TLS: Initial packet from [AF_INET]1.2.3.4:36241, sid=66129e86 1e790a7e
Mon Jan 2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, emailAddress=my@email
Mon Jan 2 07:37:10 2017 us=466182 1.2.3.4:36241 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Jan 2 07:37:10 2017 us=466201 1.2.3.4:36241 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jan 2 07:37:10 2017 us=466215 1.2.3.4:36241 TLS Error: TLS object -> incoming plaintext read error
Mon Jan 2 07:37:10 2017 us=466228 1.2.3.4:36241 TLS Error: TLS handshake failed
Mon Jan 2 07:37:10 2017 us=466290 1.2.3.4:36241 SIGUSR1[soft,tls-error] received, client-instance restarting
How can i do that knowing that i have a few already revoked certificates and i would like to keep them that way? And how can i control the nextupdate field?OpenVPN 2.4 no longer accepts CRLs who's nextUpdate field lies in the
past.
Thanks.