Excerpt from server log (removed IP addresses and other personal info):
Code: Select all
Mon Jan 2 07:37:10 2017 us=426660 184.108.40.206:36241 TLS: Initial packet from [AF_INET]220.127.116.11:36241, sid=66129e86 1e790a7e
Mon Jan 2 07:37:10 2017 us=466023 18.104.22.168:36241 VERIFY ERROR: depth=0, error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, emailAddress=my@email
Mon Jan 2 07:37:10 2017 us=466182 22.214.171.124:36241 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Jan 2 07:37:10 2017 us=466201 126.96.36.199:36241 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jan 2 07:37:10 2017 us=466215 188.8.131.52:36241 TLS Error: TLS object -> incoming plaintext read error
Mon Jan 2 07:37:10 2017 us=466228 184.108.40.206:36241 TLS Error: TLS handshake failed
Mon Jan 2 07:37:10 2017 us=466290 220.127.116.11:36241 SIGUSR1[soft,tls-error] received, client-instance restarting
I filed a bug in the Debian bug tracker here and they said i should regenerate the CRL because it expired.
OpenVPN 2.4 no longer accepts CRLs who's nextUpdate field lies in the
How can i do that knowing that i have a few already revoked certificates and i would like to keep them that way? And how can i control the nextupdate field?