I found a similar post here viewtopic.php?f=22&t=29439&p=88788&hilit=crl#p88788 but it does not appear to have been resolved.
I also have not used easyrsa and would prefer not to. OpenVPN was installed to my server via webmin and the CA, SERVER and CLIENTS all generated using the webmin module for OpenVPN. I guess I could just scrap everything and start again with an amended openvpn-ssl.cnf file that gives a longer period for the next update but it would be easier to just generate a new crl.pem file.
I am using debian 10.
I have tried issuing this command from the openvpn directory:
openssl ca -gencrl -keyfile keys/xorexca/ca.key -cert keys/xorexca/ca.crt -out crl.pem -config ./openvpn-ssl.cnf
but it had problems with the defined variables such as dir = $ENV::KEY_DIR (I am not that technical so am not sure how to interpret this).
One by one I removed the variables in a renamed copy of the .cnf file and replaced them with absolute references until finally it ran but then gave me this error:
Using configuration from ./openvpn-sslgjj.cnf
140089305715904:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/openvpn/index.txt','r')
140089305715904:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Once again I am afraid I cannot interpret this message.
Not sure why the variables are not recognised nor what this message means.
Can anyone help? No clients can currently connect.
Geoff
OpenVPN blocked. I need to renew crl.pem file
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
GeoffatMM
- OpenVPN User
- Posts: 24
- Joined: Wed Feb 20, 2019 7:11 pm
-
GeoffatMM
- OpenVPN User
- Posts: 24
- Joined: Wed Feb 20, 2019 7:11 pm
Re: OpenVPN blocked. I need to renew crl.pem file
I built a new vpn using an amended configuration that allowed a much longer renewal period for the crl. That generated a new crl.pem file which I then copied to the other existing vpn directories and now everything is up and running again.
I would however still like to understand why
openssl ca -gencrl -keyfile keys/xorexca/ca.key -cert keys/xorexca/ca.crt -out crl.pem -config ./openvpn-ssl.cnf
did not properly read the variables for the configuration file.
I would however still like to understand why
openssl ca -gencrl -keyfile keys/xorexca/ca.key -cert keys/xorexca/ca.crt -out crl.pem -config ./openvpn-ssl.cnf
did not properly read the variables for the configuration file.
-
GeoffatMM
- OpenVPN User
- Posts: 24
- Joined: Wed Feb 20, 2019 7:11 pm
Re: OpenVPN blocked. I need to renew crl.pem file
Can anyone help me with this please?