[Solved] CRL has expired

Support forum for Easy-RSA certificate management suite.
Locked
duxurivisi
OpenVpn Newbie
Posts: 5
Joined: Mon Apr 30, 2018 12:18 pm

[Solved] CRL has expired

Post by duxurivisi » Mon Apr 30, 2018 12:23 pm

Hi everyone,
in last few days, I'm not able anymore to connect to my OpenVPN server, that runs on a PI. To install it I've followed this guide: https://pimylifeup.com/raspberry-pi-vpn-server/.

This is the error I'm getting from the openvpn.log:

Code: Select all

Mon Apr 30 11:08:06 2018 5.90.54.104:33909 VERIFY ERROR: depth=0, error=CRL has expired: CN=windowsClient
Mon Apr 30 11:08:06 2018 5.90.54.104:33909 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mon Apr 30 11:08:06 2018 5.90.54.104:33909 TLS_ERROR: BIO read tls_read_plaintext error
Mon Apr 30 11:08:06 2018 5.90.54.104:33909 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 30 11:08:06 2018 5.90.54.104:33909 TLS Error: TLS handshake failed
Mon Apr 30 11:08:06 2018 5.90.54.104:33909 Fatal TLS error (check_tls_errors_co), restarting
And this from the client side:

Code: Select all

Validating certificate extended key usage
2018-04-30 11:28:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2018-04-30 11:28:17 VERIFY EKU OK
2018-04-30 11:28:17 VERIFY X509NAME OK: CN=server_XXxQwp63Aywdvhzm
2018-04-30 11:28:17 VERIFY OK: depth=0, CN=server_XXxQwp63Aywdvhzm
2018-04-30 11:28:18 Connection reset, restarting [0]
2018-04-30 11:28:18 SIGUSR1[soft,connection-reset] received, process restarting
2018-04-30 11:28:18 MANAGEMENT: >STATE:1525080498,RECONNECTING,connection-reset,,,,,
It seems the CRL certificate has been expired; how Can I fix? I don't want to change something on the client side. I've a .pem file in /etc/openvpn/ folder and I've a folder Easy-RSA. Thank you in advance for your help!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4901
Joined: Fri Jun 03, 2016 1:17 pm

Re: CRL has expired

Post by TinCanTech » Mon Apr 30, 2018 12:38 pm


duxurivisi
OpenVpn Newbie
Posts: 5
Joined: Mon Apr 30, 2018 12:18 pm

Re: CRL has expired

Post by duxurivisi » Mon Apr 30, 2018 1:05 pm

TinCanTech wrote:
Mon Apr 30, 2018 12:38 pm
Please see:
https://community.openvpn.net/openvpn/w ... istExpired
Thank your hint! So should I just run the command:

Code: Select all

./easyrsa gen-crl
Should I perform some modification on client's side?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4901
Joined: Fri Jun 03, 2016 1:17 pm

Re: CRL has expired

Post by TinCanTech » Mon Apr 30, 2018 1:27 pm

Generate a new CRL and copy it over the old one on the server -- Job done.

duxurivisi
OpenVpn Newbie
Posts: 5
Joined: Mon Apr 30, 2018 12:18 pm

Re: CRL has expired

Post by duxurivisi » Mon Apr 30, 2018 1:41 pm

TinCanTech wrote:
Mon Apr 30, 2018 1:27 pm
Generate a new CRL and copy it over the old one on the server -- Job done.
Where Should I run the

Code: Select all

./easyrsa gen-crl
command? My distro, where the OpenVPN server stands, is Raspberry PI Raspbian.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4901
Joined: Fri Jun 03, 2016 1:17 pm

Re: CRL has expired

Post by TinCanTech » Thu May 03, 2018 12:01 am

duxurivisi wrote:
Mon Apr 30, 2018 1:41 pm
TinCanTech wrote:
Mon Apr 30, 2018 1:27 pm
Generate a new CRL and copy it over the old one on the server -- Job done.
Where Should I run the

Code: Select all

./easyrsa gen-crl
command? My distro, where the OpenVPN server stands, is Raspberry PI Raspbian.

Code: Select all

./easyrsa gen-crl
^ ./ ^ explicitly implies "current" directory ..
so where ever you started ./easyrsa init-pki in the first place ..

only you should know.

:roll:

:ghosti emoji: ooooo

duxurivisi
OpenVpn Newbie
Posts: 5
Joined: Mon Apr 30, 2018 12:18 pm

Re: CRL has expired

Post by duxurivisi » Tue May 08, 2018 8:35 pm

TinCanTech wrote:
Thu May 03, 2018 12:01 am
duxurivisi wrote:
Mon Apr 30, 2018 1:41 pm
TinCanTech wrote:
Mon Apr 30, 2018 1:27 pm
Generate a new CRL and copy it over the old one on the server -- Job done.
Where Should I run the

Code: Select all

./easyrsa gen-crl
command? My distro, where the OpenVPN server stands, is Raspberry PI Raspbian.

Code: Select all

./easyrsa gen-crl
^ ./ ^ explicitly implies "current" directory ..
so where ever you started ./easyrsa init-pki in the first place ..

only you should know.

:roll:

:ghosti emoji: ooooo
It worked! Thank you so much!

Locked