CRL Expired, Clients Can not Connect

talesam · Post by **talesam** » Sat Jan 12, 2019 5:44 am

This is the message I get in the log:

Sat Jan 12 00:50:30 2019 179.221.25.89:44094 TLS: Initial packet from [AF_INET]179.221.25.89:44094, sid=7e3a0cb8 de436e97
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 WARNING: Failed to stat CRL file, not (re)loading CRL.
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 VERIFY ERROR: depth=0, error=CRL has expired: C=BR, O=xxx, CN=aaa, name=VPN, emailAddress=my@mail
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 TLS Error: TLS object -> incoming plaintext read error
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 TLS Error: TLS handshake failed
Sat Jan 12 00:50:31 2019 179.221.25.89:44094 SIGUSR1[soft,tls-error] received, client-instance restarting

I tried to do this, but it did not work:

Code: Select all

 openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config openssl.cnf
Using configuration from openssl.cnf
ca: Error on line 37 of config file "openssl.cnf"
140424400291072:error:0E065068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:519:line 37

line 37:

Code: Select all

dir     = $ENV::KEY_DIR     # Where everything is kept

I changed this line ...

Code: Select all

default_crl_days= 3650          # how long before next CRL

from 30 to 3650 in the file "/etc/openvpn/certs/openssl.cnf"

TinCanTech · Post by **TinCanTech** » Sat Jan 12, 2019 2:29 pm

See Easy-RSA "gen-crl"

OpenVPN Support Forum

CRL Expired, Clients Can not Connect

CRL Expired, Clients Can not Connect

Re: CRL Expired, Clients Can not Connect