[Solved] Regenerate expired crl?

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
gradinaruvasile
OpenVpn Newbie
Posts: 2
Joined: Sat Jan 07, 2017 10:55 pm

[Solved] Regenerate expired crl?

Post by gradinaruvasile » Sat Jan 07, 2017 11:09 pm

I have 2 openvpn servers running on my home rig (Debian testing distro). After the upgrade from openvpn 2.3 to 2.4 i observed that my clients cannot connect to either of those servers.

Excerpt from server log (removed IP addresses and other personal info):

Code: Select all

Mon Jan  2 07:37:10 2017 us=426660 1.2.3.4:36241 TLS: Initial packet from [AF_INET]1.2.3.4:36241, sid=66129e86 1e790a7e
Mon Jan  2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, emailAddress=my@email
Mon Jan  2 07:37:10 2017 us=466182 1.2.3.4:36241 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Jan  2 07:37:10 2017 us=466201 1.2.3.4:36241 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jan  2 07:37:10 2017 us=466215 1.2.3.4:36241 TLS Error: TLS object -> incoming plaintext read error
Mon Jan  2 07:37:10 2017 us=466228 1.2.3.4:36241 TLS Error: TLS handshake failed
Mon Jan  2 07:37:10 2017 us=466290 1.2.3.4:36241 SIGUSR1[soft,tls-error] received, client-instance restarting
I filed a bug in the Debian bug tracker here and they said i should regenerate the CRL because it expired.
OpenVPN 2.4 no longer accepts CRLs who's nextUpdate field lies in the
past.
How can i do that knowing that i have a few already revoked certificates and i would like to keep them that way? And how can i control the nextupdate field?
Thanks.

mwandelaar
OpenVPN Super User
Posts: 219
Joined: Mon Nov 23, 2009 8:24 pm

Re: Regenerate expired crl?

Post by mwandelaar » Sun Jan 08, 2017 12:36 pm

How do you manage your PKI? With EasyRSA? Plain openssl?
Every tool gives you the option to generate a new CRL. And as a specific cert is allready revoked, it stays revoked in a new CRL.

gradinaruvasile
OpenVpn Newbie
Posts: 2
Joined: Sat Jan 07, 2017 10:55 pm

Re: Regenerate expired crl?

Post by gradinaruvasile » Tue Jan 10, 2017 6:21 pm

Ok, managed to do it. Thanks for the info.
I used openssl for PKI management.

I modified the following lines in openssl.cnf to look like this:

Code: Select all

default_days	= 3650			# how long to certify for
default_crl_days= 3650			# how long before next CRL
Then regenerated the CRL:

Code: Select all

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf
Now with openvpn 2.4 the clients are connecting fine.

ArnoldGoat
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 03, 2013 2:22 am
Location: New Zealand

Re: [Solved] Regenerate expired crl?

Post by ArnoldGoat » Tue May 09, 2017 3:41 am

Thanks for that. Fixed my problem too. In case it's not clear, the clients need no changes (fortunately!)

jasonmicron
OpenVpn Newbie
Posts: 1
Joined: Sat May 13, 2017 6:54 pm

Re: [Solved] Regenerate expired crl?

Post by jasonmicron » Sat May 13, 2017 6:55 pm

I just wanted to say thanks as well.

Locked