verify error, tls error

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
lexus45
OpenVpn Newbie
Posts: 17
Joined: Fri May 31, 2013 8:12 am

verify error, tls error

Post by lexus45 » Wed Jun 20, 2018 7:59 pm

Hi all.

Suddenly my fine-worked VPN started to fail.
As I remember, I haven't installed any system updates in the last time. Yesterday it was OK, and I haven't configured anything on the server.
All I could do is 'apt update ; apt list --upgradable ; apt upgrade -y'. But I even not sure if I upgraded the system during yesterday or today.

All I found is in dpkg.log

Code: Select all

2018-06-18 08:50:35 upgrade libgcrypt20:amd64 1.7.6-2+deb9u2 1.7.6-2+deb9u3
But that was on june 18. Today is 20, even 21 right now. Yesterday everything worked. I haven't even restarted OpenVPN server.

Code: Select all

Thu Jun 21 00:48:21 2018 us=636640 x.y.124.2:55476 WARNING: Failed to stat CRL file, not (re)loading CRL.
Thu Jun 21 00:48:21 2018 us=882751 x.y.124.2:55476 VERIFY ERROR: depth=0, error=CRL has expired: C=TZ, ST=45, L=Tn, O=XM, OU=XmUnit, CN=client-dell, name=EasyRSA, emailAddress=email@email.email
Thu Jun 21 00:48:21 2018 us=883201 x.y.124.2:55476 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Thu Jun 21 00:48:21 2018 us=883389 x.y.124.2:55476 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jun 21 00:48:21 2018 us=883555 x.y.124.2:55476 TLS Error: TLS object -> incoming plaintext read error
Thu Jun 21 00:48:21 2018 us=883716 x.y.124.2:55476 TLS Error: TLS handshake failed
OpenVPN 2.4.6.
Debian 9.4 Stretch (stable).
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

VERIFY ERROR: depth=0, error=CRL has expired

Post by TinCanTech » Wed Jun 20, 2018 8:10 pm

Your Certificate Revocation List has expired.
Top
lexus45
OpenVpn Newbie
Posts: 17
Joined: Fri May 31, 2013 8:12 am

Re: VERIFY ERROR: depth=0, error=CRL has expired

Post by lexus45 » Thu Jun 21, 2018 4:12 am

TinCanTech wrote:
Wed Jun 20, 2018 8:10 pm
 Your Certificate Revocation List has expired.
TinCanTech, thank you so much for the reply.
But now I can not understand how to prolong it. I checked right now official documentation, howto and manual, but haven't found how to prolong CRL.
Top
lexus45
OpenVpn Newbie
Posts: 17
Joined: Fri May 31, 2013 8:12 am

Re: verify error, tls error

Post by lexus45 » Thu Jun 21, 2018 4:16 am

Well, what I've done right now:

there was client certificate which I created when I set up the server, just to test the connection. I don't use it. I revoked it.
After that, I noticed that crl.pem has a timestamp of being changed now.
I restarted the server and now all clients connect successfully.

But now I wonder when CRL will expire the next time?!
As I already mentioned, I haven't seen any options about CRL expiration time.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: verify error, tls error

Post by TinCanTech » Thu Jun 21, 2018 8:03 pm

See the Easyrsa Documentation.
Top
lexus45
OpenVpn Newbie
Posts: 17
Joined: Fri May 31, 2013 8:12 am

Re: verify error, tls error

Post by lexus45 » Fri Jun 22, 2018 6:02 am

thank you, I will check
Top
Post Reply

Return to “Server Administration”