Fixing "CRL has expired " without easyrsa

Scripts to manage certificates or generate config files
Post Reply
dazz
OpenVpn Newbie
Posts: 4
Joined: Sat Jan 04, 2020 9:09 am

Fixing "CRL has expired " without easyrsa

Post by dazz » Sat Jan 04, 2020 9:19 am

Hi
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN but not easyrsa.

I have the problem described in this post:
viewtopic.php?t=26308
I don't know if I can simply download and run the easyrsa gen-crl command without any prior config/setup of easyrsa.
I don't know if it would be safe to simply run easyrsa.
I have had a look at the easyrsa script to see if I could just extract and run the gen-crl commands but that doesn't look easy.

It appears I need to update the CRL but I don't know how to do this without easyrsa.

Any help appreciated.

Dazz

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6474
Joined: Fri Jun 03, 2016 1:17 pm

Re: Fixing "CRL has expired " without easyrsa

Post by TinCanTech » Sat Jan 04, 2020 1:57 pm

dazz wrote:
Sat Jan 04, 2020 9:19 am
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN
And what does the manual say for your device ?

dazz
OpenVpn Newbie
Posts: 4
Joined: Sat Jan 04, 2020 9:09 am

Re: Fixing "CRL has expired " without easyrsa

Post by dazz » Sun Jan 05, 2020 4:22 am

Hi
TinCanTech wrote:
Sat Jan 04, 2020 1:57 pm
And what does the manual say for your device ?
Nothing useful.

Below is my config file.

Code: Select all

HOME            = .
RANDFILE        = /var/tmp/.rnd
oid_section     = new_oids

[ new_oids ]

[ ca ]
default_ca      = IPCop

[ IPCop ]
dir             = /var/ipcop
certs           = $dir/certs
crl_dir         = $dir/crls
database        = $dir/certs/index.txt
new_certs_dir   = $dir/certs
certificate     = $dir/ca/cacert.pem
serial          = $dir/certs/serial
crl             = $dir/crls/cacrl.pem
private_key     = $dir/private/cakey.pem
RANDFILE        = $dir/tmp/.rand
x509_extensions = usr_cert
default_days    = 999999
default_crl_days= 30
default_md      = sha256
preserve        = no
policy          = policy_match
email_in_dn     = no
...
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca
string_mask = nombstr

...

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ server ]
basicConstraints=CA:FALSE
nsCertType                      = server
nsComment                       = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

[ engine ]
default = openssl
I have never changed the config file settings directly.

I think I need to run the command:

Code: Select all

openssl ca -config  /etc/ssl/openssl.cnf     -gencrl -out /var/ipcop/crls/cacrl.pem
I think this is the command to overwrite the existing CRL file.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6474
Joined: Fri Jun 03, 2016 1:17 pm

Re: Fixing "CRL has expired " without easyrsa

Post by TinCanTech » Sun Jan 05, 2020 2:39 pm

By the look of it your device could easily support easyrsa3.

Or you could use easyrsa3 on your desktop computer and upload the files to your device.

dazz
OpenVpn Newbie
Posts: 4
Joined: Sat Jan 04, 2020 9:09 am

Re: Fixing "CRL has expired " without easyrsa

Post by dazz » Mon Jan 06, 2020 6:21 am

Hi
I know you are trying to be helpful but I only want to do a single thing to fix a single problem. I have never needed or used easyrsa3 before and I shouldn't need it now.
I will try running the command above and see if that works. Failing that I could do a complete reinstall of the firewall. That I can do and will probably be easier than learning a new program.

dazz
OpenVpn Newbie
Posts: 4
Joined: Sat Jan 04, 2020 9:09 am

Re: Fixing "CRL has expired " without easyrsa

Post by dazz » Mon Jan 06, 2020 8:08 am

Hi
The command:

Code: Select all

openssl ca -config  /etc/ssl/openssl.cnf     -gencrl -out /var/ipcop/crls/cacrl.pem
did not solve the problem.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6474
Joined: Fri Jun 03, 2016 1:17 pm

Re: Fixing "CRL has expired " without easyrsa

Post by TinCanTech » Mon Jan 06, 2020 9:40 am

How did you generate a CRL before or is this the first time you have tried to do so ?

Post Reply