Is this a maintenance item? easyrsa gen-crl?
Posted: Mon Feb 20, 2023 1:40 pm
Am I supposed to be redoing the CRL every once in a while? Is there any sysadmin advice for CRL settings to prevent unexpected outages?
For reference my vars currently contains these for lengths;
- Upgraded to 2.6.0 on 26 January 2023, worked fine before and after upgrade.
- This weekend all VPN connections went down probably after a windows update reboot.
- I caught "error=CRL has expired" in the logs.
- After "easyrsa gen-crl" and restarting OpenVPN service everything works fine again.
Code: Select all
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
Code: Select all
# In how many days should the root CA key expire; 20 years
set_var EASYRSA_CA_EXPIRE 7300
# In how many days should certificates expire; 20 years
set_var EASYRSA_CERT_EXPIRE 7300
# How many days before its expiration date a certificate is allowed to be renewed; whenever
set_var EASYRSA_CERT_RENEW 7300