Fixing "CRL has expired " without easyrsa
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jan 04, 2020 9:09 am
Fixing "CRL has expired " without easyrsa
Hi
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN but not easyrsa.
I have the problem described in this post:
viewtopic.php?t=26308
I don't know if I can simply download and run the easyrsa gen-crl command without any prior config/setup of easyrsa.
I don't know if it would be safe to simply run easyrsa.
I have had a look at the easyrsa script to see if I could just extract and run the gen-crl commands but that doesn't look easy.
It appears I need to update the CRL but I don't know how to do this without easyrsa.
Any help appreciated.
Dazz
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN but not easyrsa.
I have the problem described in this post:
viewtopic.php?t=26308
I don't know if I can simply download and run the easyrsa gen-crl command without any prior config/setup of easyrsa.
I don't know if it would be safe to simply run easyrsa.
I have had a look at the easyrsa script to see if I could just extract and run the gen-crl commands but that doesn't look easy.
It appears I need to update the CRL but I don't know how to do this without easyrsa.
Any help appreciated.
Dazz
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jan 04, 2020 9:09 am
Re: Fixing "CRL has expired " without easyrsa
Hi
Below is my config file.
I have never changed the config file settings directly.
I think I need to run the command:
I think this is the command to overwrite the existing CRL file.
Nothing useful.
Below is my config file.
Code: Select all
HOME = .
RANDFILE = /var/tmp/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = IPCop
[ IPCop ]
dir = /var/ipcop
certs = $dir/certs
crl_dir = $dir/crls
database = $dir/certs/index.txt
new_certs_dir = $dir/certs
certificate = $dir/ca/cacert.pem
serial = $dir/certs/serial
crl = $dir/crls/cacrl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/tmp/.rand
x509_extensions = usr_cert
default_days = 999999
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_match
email_in_dn = no
...
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
...
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ server ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ engine ]
default = openssl
I think I need to run the command:
Code: Select all
openssl ca -config /etc/ssl/openssl.cnf -gencrl -out /var/ipcop/crls/cacrl.pem
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Fixing "CRL has expired " without easyrsa
By the look of it your device could easily support easyrsa3.
Or you could use easyrsa3 on your desktop computer and upload the files to your device.
Or you could use easyrsa3 on your desktop computer and upload the files to your device.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jan 04, 2020 9:09 am
Re: Fixing "CRL has expired " without easyrsa
Hi
I know you are trying to be helpful but I only want to do a single thing to fix a single problem. I have never needed or used easyrsa3 before and I shouldn't need it now.
I will try running the command above and see if that works. Failing that I could do a complete reinstall of the firewall. That I can do and will probably be easier than learning a new program.
I know you are trying to be helpful but I only want to do a single thing to fix a single problem. I have never needed or used easyrsa3 before and I shouldn't need it now.
I will try running the command above and see if that works. Failing that I could do a complete reinstall of the firewall. That I can do and will probably be easier than learning a new program.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Jan 04, 2020 9:09 am
Re: Fixing "CRL has expired " without easyrsa
Hi
The command:
did not solve the problem.
The command:
Code: Select all
openssl ca -config /etc/ssl/openssl.cnf -gencrl -out /var/ipcop/crls/cacrl.pem
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Fixing "CRL has expired " without easyrsa
How did you generate a CRL before or is this the first time you have tried to do so ?