Page 1 of 1

[Solved] Regenerate expired crl?

Posted: Sat Jan 07, 2017 11:09 pm
by gradinaruvasile
I have 2 openvpn servers running on my home rig (Debian testing distro). After the upgrade from openvpn 2.3 to 2.4 i observed that my clients cannot connect to either of those servers.

Excerpt from server log (removed IP addresses and other personal info):

Code: Select all

Mon Jan  2 07:37:10 2017 us=426660 1.2.3.4:36241 TLS: Initial packet from [AF_INET]1.2.3.4:36241, sid=66129e86 1e790a7e
Mon Jan  2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, emailAddress=my@email
Mon Jan  2 07:37:10 2017 us=466182 1.2.3.4:36241 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Jan  2 07:37:10 2017 us=466201 1.2.3.4:36241 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jan  2 07:37:10 2017 us=466215 1.2.3.4:36241 TLS Error: TLS object -> incoming plaintext read error
Mon Jan  2 07:37:10 2017 us=466228 1.2.3.4:36241 TLS Error: TLS handshake failed
Mon Jan  2 07:37:10 2017 us=466290 1.2.3.4:36241 SIGUSR1[soft,tls-error] received, client-instance restarting

I filed a bug in the Debian bug tracker here and they said i should regenerate the CRL because it expired.

OpenVPN 2.4 no longer accepts CRLs who's nextUpdate field lies in the
past.

How can i do that knowing that i have a few already revoked certificates and i would like to keep them that way? And how can i control the nextupdate field?
Thanks.

Re: Regenerate expired crl?

Posted: Sun Jan 08, 2017 12:36 pm
by mwandelaar
How do you manage your PKI? With EasyRSA? Plain openssl?
Every tool gives you the option to generate a new CRL. And as a specific cert is allready revoked, it stays revoked in a new CRL.

Re: Regenerate expired crl?

Posted: Tue Jan 10, 2017 6:21 pm
by gradinaruvasile
Ok, managed to do it. Thanks for the info.
I used openssl for PKI management.

I modified the following lines in openssl.cnf to look like this:

Code: Select all

default_days   = 3650         # how long to certify for
default_crl_days= 3650         # how long before next CRL

Then regenerated the CRL:

Code: Select all

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

Now with openvpn 2.4 the clients are connecting fine.

Re: [Solved] Regenerate expired crl?

Posted: Tue May 09, 2017 3:41 am
by ArnoldGoat
Thanks for that. Fixed my problem too. In case it's not clear, the clients need no changes (fortunately!)

Re: [Solved] Regenerate expired crl?

Posted: Sat May 13, 2017 6:55 pm
by jasonmicron
I just wanted to say thanks as well.