error=CRL has expired for all users

Scripts to manage certificates or generate config files
Post Reply
j0mpst0rt
OpenVpn Newbie
Posts: 2
Joined: Fri May 21, 2021 3:12 pm

error=CRL has expired for all users

Post by j0mpst0rt » Fri May 21, 2021 3:29 pm

Hi, I did see in this topic somewhere a similar issue, but I cannot find it. so here i go... (I have inherited this system):

1: all my current users are working (initially)
2: I create a new user (who can also logon).
3: I decide to enable crl
3:1 I edit the server.conf and add the line "crl-verify crl.pem"
3:2 I bounce the processes
3:3 I trace the users, who have the following error message:
VERIFY_ERROR: depth=0, error=CRL has expired: C=UK....
openSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
<<>>><<>>> AT THIS POINT, NO USERS CAN LOGIN <<>><<>><>><<><>
3:4 If I switch back to removing the crl-verify crl.pem, all users can login as normal.
4: Easy-Rsa:
4:1 I have easy-rsa installed i think 'partially'.... (not by rpm or yum)....
4:2 /etc/openvpn/easy-rsa exists, with a bunch of build-* scripts, and no easy-rsa, or easyrsa script by which I can pass a gen-crl to.
4:3 The current revoke method i have is :
cd /etc/openvpn/easy-rsa
source ./vars
revoke-full <name> <-- i think this does the gencrl - it does not copy it anywhere, other than leave it in keys.
<<><><<<> Revoke of a user simply does not work currently <>><<><>><
4:4 that is it, but the crl-verify was not in config file. so revokes do not work currently. so when i started step 3: above, i was hoping the user would be revoked, but sadly isnt.

5: I see that in the index.txt on line 1: V ... NumberZ 01 unknown ... CN=server/name=server/email=..... exists, I am wondering if the server certificate itself is revoked ?

Can anybody advise me on what i'm not understanding please ?

User avatar
TinCanTech
Forum Team
Posts: 9437
Joined: Fri Jun 03, 2016 1:17 pm

Re: error=CRL has expired for all users

Post by TinCanTech » Fri May 21, 2021 4:13 pm

Where did you get Easy-RSA ?

j0mpst0rt
OpenVpn Newbie
Posts: 2
Joined: Fri May 21, 2021 3:12 pm

Re: error=CRL has expired for all users

Post by j0mpst0rt » Sun May 23, 2021 10:12 am

Hi TinCanTech....

I have inherited this openvpn server by becoming employed by the company after the previous person left.

Therefore, I have no history of where this easy-rsa installation came from. I can see its possible to install one, but as this openvpn i think is 2.4 community edition, i'm and not wanting to break what is currently installed, i dont want to install and replace all the scripts.

I am happy to start 'afresh', with the configuration by creating an initial server certificate again which I assume will mean i will need to discard all persons other keys and create a completely new set of keys (can someone confirm to me if the server certificate can be and is revoked). It is not a problem to create the server certificate (once I know how to do it) . I have wrote a script which bundles client side config into a zip file and creates an username.ovpn file that works for the users when it is dumped into a config directory on the client and drop the ovpn file into the client app.

this is first time out with doing openvpn for me. so learning.

Thanks... Mike

User avatar
TinCanTech
Forum Team
Posts: 9437
Joined: Fri Jun 03, 2016 1:17 pm

Re: error=CRL has expired for all users

Post by TinCanTech » Sun May 23, 2021 1:21 pm

You need to learn a lot about CA management.

I recommend you consider upgrading to Easy-RSA v3: https://github.com/OpenVPN/easy-rsa

It has a built-in upgrade procedure to move you from the version you have now.
https://community.openvpn.net/openvpn/w ... sa-upgrade

Make copious back-ups first !

Once you are ready you can create a new CRL like so:

Code: Select all

./easyrsa gen-crl
If you need professional support then I am available for hire: tincantech at protonmail dot com

Post Reply