Fixing "CRL has expired " without easyrsa

[dazz]

Hi
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN but not easyrsa.

I have the problem described in this post:
viewtopic.php?t=26308
I don't know if I can simply download and run the easyrsa gen-crl command without any prior config/setup of easyrsa.
I don't know if it would be safe to simply run easyrsa.
I have had a look at the easyrsa script to see if I could just extract and run the gen-crl commands but that doesn't look easy.

It appears I need to update the CRL but I don't know how to do this without easyrsa.

Any help appreciated.

Dazz

[TinCanTech]

I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN

And what does the manual say for your device ?

[dazz]

Hi

And what does the manual say for your device ?

Nothing useful.

Below is my config file.

Code: Select all

HOME            = .
RANDFILE        = /var/tmp/.rnd
oid_section     = new_oids

[ new_oids ]

[ ca ]
default_ca      = IPCop

[ IPCop ]
dir             = /var/ipcop
certs           = $dir/certs
crl_dir         = $dir/crls
database        = $dir/certs/index.txt
new_certs_dir   = $dir/certs
certificate     = $dir/ca/cacert.pem
serial          = $dir/certs/serial
crl             = $dir/crls/cacrl.pem
private_key     = $dir/private/cakey.pem
RANDFILE        = $dir/tmp/.rand
x509_extensions = usr_cert
default_days    = 999999
default_crl_days= 30
default_md      = sha256
preserve        = no
policy          = policy_match
email_in_dn     = no
...
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca
string_mask = nombstr

...

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ server ]
basicConstraints=CA:FALSE
nsCertType                      = server
nsComment                       = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

[ engine ]
default = openssl

I have never changed the config file settings directly.

I think I need to run the command:

Code: Select all

openssl ca -config  /etc/ssl/openssl.cnf     -gencrl -out /var/ipcop/crls/cacrl.pem

I think this is the command to overwrite the existing CRL file.

[TinCanTech]

By the look of it your device could easily support easyrsa3.

Or you could use easyrsa3 on your desktop computer and upload the files to your device.

[dazz]

Hi
I know you are trying to be helpful but I only want to do a single thing to fix a single problem. I have never needed or used easyrsa3 before and I shouldn't need it now.
I will try running the command above and see if that works. Failing that I could do a complete reinstall of the firewall. That I can do and will probably be easier than learning a new program.

[dazz]

Hi
The command:

Code: Select all

openssl ca -config  /etc/ssl/openssl.cnf     -gencrl -out /var/ipcop/crls/cacrl.pem

did not solve the problem.

[TinCanTech]

How did you generate a CRL before or is this the first time you have tried to do so ?