Unable to Revoke using crl-verify 'dir' option

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
LauraMartin
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 18, 2019 12:47 pm

Unable to Revoke using crl-verify 'dir' option

Post by LauraMartin » Fri Sep 06, 2019 11:02 pm

My config:
Server Config
port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
#user nobody
#group nobody
#persist-key
#persist-tun
status openvpn-status.log
;log openvpn.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
# -- the server line will be inserted after this
server 10.8.0.0 255.255.255.0

port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
status openvpn-status.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
server 10.8.0.0 255.255.255.0


Please notice the crl-verify at line: 23. I'm using a CRL directory instead of a crl.pem file. That's because I will have many potential users.
Revocation doesn't seem to work. Although to be more precise:
* establish a connection
* revoke the certificate
* close the connection
* re-establish the connection ==> it reconnects

It isn't clear what should be in the CRL directory. The manual seems to say that a file with a name that is the decimal number of the certificate is what is needed. In the index and serial files, though, hexadecimal numbers are used. I've tried both.

I'm running as root because running as nobody gave me messages that the key, cert, dh, and ca files couldn't be read. I don't understand why that should be -- I thought that the certs are read prior to the transition to nobody.

Help would be greatly appreciated.

Thanks,

Laura

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5923
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unable to Revoke using crl-verify 'dir' option

Post by TinCanTech » Sat Sep 07, 2019 12:06 am

LauraMartin wrote:
Fri Sep 06, 2019 11:02 pm
crl-verify /etc/openvpn/certs/CRL 'dir'
You should probably define the 'dir' as the full path.


Please see:
viewtopic.php?f=30&t=22603#p68963

300000
OpenVPN User
Posts: 33
Joined: Tue May 01, 2012 9:30 pm

Re: Unable to Revoke using crl-verify 'dir' option

Post by 300000 » Sat Sep 07, 2019 11:57 am

after revoke the certificate you must regenerator revocation file from openssl and update so the new revoke the certificate will be block , if you dont do that how can it know this certificate ve been revoked .

should be a full path to the file /tmp/user/revocation.pem

Post Reply