can't read crl.pem

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
kerrycao
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 16, 2015 3:46 pm

can't read crl.pem

Post by kerrycao » Tue Jun 16, 2015 3:55 pm

Hello All

since some colleagues left company, i try to revoke their certificate , below is my step.
1. revoke certificate , it is successful, because /etc/openvpn/esay-rsa/keys/index.txt indicate "R" for this certificate

2. add below line in /etc/openvpn/server.conf

crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

3. chmod 755 crl-verify /etc/openvpn/easy-rsa/keys

after reload openvpn configuration file, the log show below error.

cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: No such file or directory (errno=2)

Any help could be appreciate. thanks in advance

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: can't read crl.pem

Post by maikcat » Wed Jun 17, 2015 10:20 am

post your config please,

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.

Zuendapp
OpenVpn Newbie
Posts: 6
Joined: Fri Mar 20, 2015 3:03 pm

Re: can't read crl.pem

Post by Zuendapp » Thu Feb 16, 2017 5:14 pm

Hi Michael,

I have the same problem. Can you tell me the command to set the permission correctly? In my logfile is additionaly a error to set a route (I have defined two routes in my config).

Thank you very much!

Best regards

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: can't read crl.pem

Post by TinCanTech » Thu Feb 16, 2017 7:42 pm

maikcat wrote:
post your config please,

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.
Please see:
HOWTO: Request Help !

Zuendapp
OpenVpn Newbie
Posts: 6
Joined: Fri Mar 20, 2015 3:03 pm

Re: can't read crl.pem

Post by Zuendapp » Fri Feb 17, 2017 11:24 am

Hi,

sorry, my version is V2.3.4:

Config:

Code: Select all

# Server parameters
server 192.168.20.0 255.255.255.0
port 1194
proto udp
dev tun-UDP
user nobody
group nogroup
persist-key
persist-tun
#ifconfig-pool-persist ipp.txt
auth-user-pass-verify /usr/local/sbin/openvpn-auth via-file
script-security 2
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-to-client
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
max-clients 2
keepalive 10 120

# Control channel (TLS)
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-auth ta.key 0
remote-cert-tls client
tls-server

# Data channel
auth SHA512
cipher AES-256-CBC

# Compression
comp-lzo

# Logging
log /var/log/openvpn.log
verb 3
status openvpn-status.log

# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
When I delete "user nobody" "group nogroup" it work's fine.

Best regards

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: can't read crl.pem

Post by TinCanTech » Fri Feb 17, 2017 12:45 pm

maikcat wrote:if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.
Zuendapp wrote:Can you tell me the command to set the permission correctly?
See your distro documentation for file+directory permissions.
Zuendapp wrote:In my logfile is additionaly a error to set a route
Post your log file @ --verb 4

rgould
OpenVpn Newbie
Posts: 2
Joined: Wed Dec 27, 2017 7:52 am

Re: can't read crl.pem

Post by rgould » Wed Dec 27, 2017 7:57 am

Is there any danger to running the service as root:root?

To bypass the above nobody:nogroup restrictions, I created /REV and stuck "crl.pem" in it, recursively changed ownership of /REV to nobody:nogroup, then changed the "crl-verify" option to

Code: Select all

crl-verify /REV/crl.pem
. Seems to be working. I'll revert to the previous config if it's safe to run the service as root"root.

secooonder
OpenVpn Newbie
Posts: 17
Joined: Sat Aug 10, 2019 8:40 am

Re: can't read crl.pem

Post by secooonder » Sun Sep 17, 2023 8:11 am

I'm having the same problem.
I did the following operations
cd /etc/openvpn/easyrsa ;
./easyrsa gen-crl
cp crl.pem /etc/openvpn/
systemctl restart openvpn.server
When the client connected to Openvpn server , i took an error
"can't read crl.pem"

File Permission is :
-rw------- 1 root root 796 Eyl 17 08:47 crl.pem

but I don't understand how to solve it
Can you help me ?

secooonder
OpenVpn Newbie
Posts: 17
Joined: Sat Aug 10, 2019 8:40 am

Re: can't read crl.pem

Post by secooonder » Tue Sep 19, 2023 5:09 am

Hi
Plase Help me

Post Reply