Page 1 of 1

Unable to Revoke using crl-verify 'dir' option

Posted: Fri Sep 06, 2019 11:02 pm
by LauraMartin
My config:
Server Config
port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
#user nobody
#group nobody
#persist-key
#persist-tun
status openvpn-status.log
;log openvpn.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
# -- the server line will be inserted after this
server 10.8.0.0 255.255.255.0

port 1194
proto udp
dev tun0
ca /etc/openvpn/certs/ca.crt # the self signed certificate for the CA
cert /etc/openvpn/certs/server.crt # a certificate for the server
key /etc/openvpn/certs/server.key # This file should be kept secret
crl-verify /etc/openvpn/certs/CRL 'dir'
dh /etc/openvpn/certs/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
status openvpn-status.log
log-append /var/log/openvpn
verb 3
explicit-exit-notify 1
server 10.8.0.0 255.255.255.0


Please notice the crl-verify at line: 23. I'm using a CRL directory instead of a crl.pem file. That's because I will have many potential users.
Revocation doesn't seem to work. Although to be more precise:
* establish a connection
* revoke the certificate
* close the connection
* re-establish the connection ==> it reconnects

It isn't clear what should be in the CRL directory. The manual seems to say that a file with a name that is the decimal number of the certificate is what is needed. In the index and serial files, though, hexadecimal numbers are used. I've tried both.

I'm running as root because running as nobody gave me messages that the key, cert, dh, and ca files couldn't be read. I don't understand why that should be -- I thought that the certs are read prior to the transition to nobody.

Help would be greatly appreciated.

Thanks,

Laura

Re: Unable to Revoke using crl-verify 'dir' option

Posted: Sat Sep 07, 2019 12:06 am
by TinCanTech
LauraMartin wrote:
Fri Sep 06, 2019 11:02 pm
crl-verify /etc/openvpn/certs/CRL 'dir'
You should probably define the 'dir' as the full path.


Please see:
viewtopic.php?f=30&t=22603#p68963

Re: Unable to Revoke using crl-verify 'dir' option

Posted: Sat Sep 07, 2019 11:57 am
by 300000
after revoke the certificate you must regenerator revocation file from openssl and update so the new revoke the certificate will be block , if you dont do that how can it know this certificate ve been revoked .

should be a full path to the file /tmp/user/revocation.pem