Page 1 of 1
Fixing "CRL has expired " without easyrsa
Posted: Sat Jan 04, 2020 9:19 am
by dazz
Hi
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN but not easyrsa.
I have the problem described in this post:
viewtopic.php?t=26308
I don't know if I can simply download and run the easyrsa gen-crl command without any prior config/setup of easyrsa.
I don't know if it would be safe to simply run easyrsa.
I have had a look at the easyrsa script to see if I could just extract and run the gen-crl commands but that doesn't look easy.
It appears I need to update the CRL but I don't know how to do this without easyrsa.
Any help appreciated.
Dazz
Re: Fixing "CRL has expired " without easyrsa
Posted: Sat Jan 04, 2020 1:57 pm
by TinCanTech
dazz wrote: ↑Sat Jan 04, 2020 9:19 am
I am running OpenVPN on the IPCop firewall. It came preinstalled with OpenVPN
And what does the manual say for your device ?
Re: Fixing "CRL has expired " without easyrsa
Posted: Sun Jan 05, 2020 4:22 am
by dazz
Hi
TinCanTech wrote: ↑Sat Jan 04, 2020 1:57 pm
And what does the manual say for your device ?
Nothing useful.
Below is my config file.
Code: Select all
HOME = .
RANDFILE = /var/tmp/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = IPCop
[ IPCop ]
dir = /var/ipcop
certs = $dir/certs
crl_dir = $dir/crls
database = $dir/certs/index.txt
new_certs_dir = $dir/certs
certificate = $dir/ca/cacert.pem
serial = $dir/certs/serial
crl = $dir/crls/cacrl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/tmp/.rand
x509_extensions = usr_cert
default_days = 999999
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_match
email_in_dn = no
...
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
...
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ server ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ engine ]
default = openssl
I have never changed the config file settings directly.
I think I need to run the command:
Code: Select all
openssl ca -config /etc/ssl/openssl.cnf -gencrl -out /var/ipcop/crls/cacrl.pem
I think this is the command to overwrite the existing CRL file.
Re: Fixing "CRL has expired " without easyrsa
Posted: Sun Jan 05, 2020 2:39 pm
by TinCanTech
By the look of it your device could easily support easyrsa3.
Or you could use easyrsa3 on your desktop computer and upload the files to your device.
Re: Fixing "CRL has expired " without easyrsa
Posted: Mon Jan 06, 2020 6:21 am
by dazz
Hi
I know you are trying to be helpful but I only want to do a single thing to fix a single problem. I have never needed or used easyrsa3 before and I shouldn't need it now.
I will try running the command above and see if that works. Failing that I could do a complete reinstall of the firewall. That I can do and will probably be easier than learning a new program.
Re: Fixing "CRL has expired " without easyrsa
Posted: Mon Jan 06, 2020 8:08 am
by dazz
Hi
The command:
Code: Select all
openssl ca -config /etc/ssl/openssl.cnf -gencrl -out /var/ipcop/crls/cacrl.pem
did not solve the problem.
Re: Fixing "CRL has expired " without easyrsa
Posted: Mon Jan 06, 2020 9:40 am
by TinCanTech
How did you generate a CRL before or is this the first time you have tried to do so ?