Is this a maintenance item? easyrsa gen-crl?

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
maxburn
OpenVPN Power User
Posts: 65
Joined: Mon Dec 12, 2016 6:07 pm

Is this a maintenance item? easyrsa gen-crl?

Post by maxburn » Mon Feb 20, 2023 1:40 pm

Am I supposed to be redoing the CRL every once in a while? Is there any sysadmin advice for CRL settings to prevent unexpected outages?
  1. Upgraded to 2.6.0 on 26 January 2023, worked fine before and after upgrade.
  2. This weekend all VPN connections went down probably after a windows update reboot.
  3. I caught "error=CRL has expired" in the logs.
  4. After "easyrsa gen-crl" and restarting OpenVPN service everything works fine again.
I found this in vars.example, term "expected" next pub date doesn't make me think this will break the server if it isn't done. Also with as many servers as I'm maintaining I'd be hitting this all the time if it was a hard stop but so far I've only hit this maybe three times in memory.

Code: Select all

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS	180
For reference my vars currently contains these for lengths;

Code: Select all

# In how many days should the root CA key expire; 20 years
set_var EASYRSA_CA_EXPIRE	7300

# In how many days should certificates expire; 20 years
set_var EASYRSA_CERT_EXPIRE	7300

# How many days before its expiration date a certificate is allowed to be renewed; whenever
set_var EASYRSA_CERT_RENEW	7300

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: Is this a maintenance item? easyrsa gen-crl?

Post by RemoteOne » Tue Mar 07, 2023 1:49 pm

I use a shell script saved to /usr/bin, and call it weekly from crontab in the early hours of the morning.

Obviously, this sample code is provided as-is, with no guarantee it will work in your environment.

Code: Select all

#!/bin/bash

# Config
EASY_RSA_BIN=/usr/share/easy-rsa/3.1.2/easyrsa
PKI_PARENT_FOLDER=/etc/openvpn
CA_CERT=ca.crt

# Change directory to where the pki folder is located
cd $PKI_PARENT_FOLDER

# Generate the new CRL 
$EASY_RSA_BIN gen-crl

# Make the file readable by other users/groups so openvpn can read it 
chmod 644 $PKI_PARENT_FOLDER/pki/crl.pem

Post Reply