can't read crl.pem

[kerrycao]

Hello All

since some colleagues left company, i try to revoke their certificate , below is my step.
1. revoke certificate , it is successful, because /etc/openvpn/esay-rsa/keys/index.txt indicate "R" for this certificate

2. add below line in /etc/openvpn/server.conf

crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

3. chmod 755 crl-verify /etc/openvpn/easy-rsa/keys

after reload openvpn configuration file, the log show below error.

cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: No such file or directory (errno=2)

Any help could be appreciate. thanks in advance

[maikcat]

post your config please,

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.

[Zuendapp]

Hi Michael,

I have the same problem. Can you tell me the command to set the permission correctly? In my logfile is additionaly a error to set a route (I have defined two routes in my config).

Thank you very much!

Best regards

[TinCanTech]

post your config please,

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.

Please see:
HOWTO: Request Help !

[Zuendapp]

Hi,

sorry, my version is V2.3.4:

Config:

Code: Select all

# Server parameters
server 192.168.20.0 255.255.255.0
port 1194
proto udp
dev tun-UDP
user nobody
group nogroup
persist-key
persist-tun
#ifconfig-pool-persist ipp.txt
auth-user-pass-verify /usr/local/sbin/openvpn-auth via-file
script-security 2
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
client-to-client
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
max-clients 2
keepalive 10 120

# Control channel (TLS)
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-auth ta.key 0
remote-cert-tls client
tls-server

# Data channel
auth SHA512
cipher AES-256-CBC

# Compression
comp-lzo

# Logging
log /var/log/openvpn.log
verb 3
status openvpn-status.log

# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem

When I delete "user nobody" "group nogroup" it work's fine.

Best regards

[TinCanTech]

if you use user nobody to start the service you must have read permission to crl.pem
including read+execute in previous folders.

Michael.

Can you tell me the command to set the permission correctly?

See your distro documentation for file+directory permissions.

In my logfile is additionaly a error to set a route

Post your log file @ --verb 4

[rgould]

Is there any danger to running the service as root:root?

To bypass the above nobody:nogroup restrictions, I created /REV and stuck "crl.pem" in it, recursively changed ownership of /REV to nobody:nogroup, then changed the "crl-verify" option to

Code: Select all

crl-verify /REV/crl.pem

. Seems to be working. I'll revert to the previous config if it's safe to run the service as root"root.

[secooonder]

I'm having the same problem.
I did the following operations

cd /etc/openvpn/easyrsa ;
./easyrsa gen-crl
cp crl.pem /etc/openvpn/
systemctl restart openvpn.server

When the client connected to Openvpn server , i took an error
"can't read crl.pem"

File Permission is :
-rw------- 1 root root 796 Eyl 17 08:47 crl.pem

but I don't understand how to solve it
Can you help me ?

[secooonder]

Hi
Plase Help me