Hi, I did see in this topic somewhere a similar issue, but I cannot find it. so here i go... (I have inherited this system):
1: all my current users are working (initially)
2: I create a new user (who can also logon).
3: I decide to enable crl
3:1 I edit the server.conf and add the line "crl-verify crl.pem"
3:2 I bounce the processes
3:3 I trace the users, who have the following error message:
VERIFY_ERROR: depth=0, error=CRL has expired: C=UK....
openSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
<<>>><<>>> AT THIS POINT, NO USERS CAN LOGIN <<>><<>><>><<><>
3:4 If I switch back to removing the crl-verify crl.pem, all users can login as normal.
4: Easy-Rsa:
4:1 I have easy-rsa installed i think 'partially'.... (not by rpm or yum)....
4:2 /etc/openvpn/easy-rsa exists, with a bunch of build-* scripts, and no easy-rsa, or easyrsa script by which I can pass a gen-crl to.
4:3 The current revoke method i have is :
cd /etc/openvpn/easy-rsa
source ./vars
revoke-full <name> <-- i think this does the gencrl - it does not copy it anywhere, other than leave it in keys.
<<><><<<> Revoke of a user simply does not work currently <>><<><>><
4:4 that is it, but the crl-verify was not in config file. so revokes do not work currently. so when i started step 3: above, i was hoping the user would be revoked, but sadly isnt.
5: I see that in the index.txt on line 1: V ... NumberZ 01 unknown ... CN=server/name=server/email=..... exists, I am wondering if the server certificate itself is revoked ?
Can anybody advise me on what i'm not understanding please ?
error=CRL has expired for all users
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri May 21, 2021 3:12 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: error=CRL has expired for all users
Where did you get Easy-RSA ?
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri May 21, 2021 3:12 pm
Re: error=CRL has expired for all users
Hi TinCanTech....
I have inherited this openvpn server by becoming employed by the company after the previous person left.
Therefore, I have no history of where this easy-rsa installation came from. I can see its possible to install one, but as this openvpn i think is 2.4 community edition, i'm and not wanting to break what is currently installed, i dont want to install and replace all the scripts.
I am happy to start 'afresh', with the configuration by creating an initial server certificate again which I assume will mean i will need to discard all persons other keys and create a completely new set of keys (can someone confirm to me if the server certificate can be and is revoked). It is not a problem to create the server certificate (once I know how to do it) . I have wrote a script which bundles client side config into a zip file and creates an username.ovpn file that works for the users when it is dumped into a config directory on the client and drop the ovpn file into the client app.
this is first time out with doing openvpn for me. so learning.
Thanks... Mike
I have inherited this openvpn server by becoming employed by the company after the previous person left.
Therefore, I have no history of where this easy-rsa installation came from. I can see its possible to install one, but as this openvpn i think is 2.4 community edition, i'm and not wanting to break what is currently installed, i dont want to install and replace all the scripts.
I am happy to start 'afresh', with the configuration by creating an initial server certificate again which I assume will mean i will need to discard all persons other keys and create a completely new set of keys (can someone confirm to me if the server certificate can be and is revoked). It is not a problem to create the server certificate (once I know how to do it) . I have wrote a script which bundles client side config into a zip file and creates an username.ovpn file that works for the users when it is dumped into a config directory on the client and drop the ovpn file into the client app.
this is first time out with doing openvpn for me. so learning.
Thanks... Mike
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: error=CRL has expired for all users
You need to learn a lot about CA management.
I recommend you consider upgrading to Easy-RSA v3: https://github.com/OpenVPN/easy-rsa
It has a built-in upgrade procedure to move you from the version you have now.
https://community.openvpn.net/openvpn/w ... sa-upgrade
Make copious back-ups first !
Once you are ready you can create a new CRL like so:
If you need professional support then I am available for hire: tincantech at protonmail dot com
I recommend you consider upgrading to Easy-RSA v3: https://github.com/OpenVPN/easy-rsa
It has a built-in upgrade procedure to move you from the version you have now.
https://community.openvpn.net/openvpn/w ... sa-upgrade
Make copious back-ups first !
Once you are ready you can create a new CRL like so:
Code: Select all
./easyrsa gen-crl