Help needed in updating expired certs

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Help needed in updating expired certs

Post by BobAGI » Thu Feb 23, 2023 3:42 pm

Is there some page here where one can read how to fix expired cert issues?
My Linux Ubuntu OpenVPN server became unresponsive yesterday and when I looked in the log I found:

Code: Select all

217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US,....
217.31.190.108:63723 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
So I assume that some certificate has expired (what is CRL?)...

Questions:
1) How to find which certificate has expired?
2) How to check the expiration of a certificate used by OpenVPN? Is there some command line function to do this?
3) Are client certs or server certs expiring like this?
4) Most important: How do I correct this? Can I routinely extend the life yearly or so?
5) Can I update something server side such that the client can again connect or do I need to generate new OVPN files too?
6) Are also other crypto files expiring?

I have about 10 clients issued logins for this server and I need to make sure they are not locked out.
How is that done? I.e. does the client OVPN file contain expiring certs too?

EDIT:
I got redirected to the solution via the mail list.
It turns out my problem was NOT a cert expiration at all, instead it was an expiration of the CRL (certificate revocation list) I introduced a month back to block old clients to connect.
This list itself has an expiration and if it does expire the complete server becomes blocked for all clients...
After disabling crl handling altogether in the conf files and restarting both services all is back in working order.
But also allowing the blocked clients access....
I have to check how to fix this later, maybe via a cron script that renews the list or such.

RemoteOne
OpenVPN User
Posts: 34
Joined: Wed Sep 18, 2019 10:11 am

Re: Help needed in updating expired certs

Post by RemoteOne » Wed Mar 01, 2023 10:21 am

CRL is the Certificate Revocation List - it is the list of issued and subsequently revoked certificates from your CA (Certificate Authority)

When you generate a CRL it has a built-in expiry date.

You can regenerate the CRL with easy-rsa if that is what you used to create the certificates in the first place. To recreate it

Code: Select all

cd <PKI parent folder>
<path to easyrsa>easyrsa gen-crl
chmod 644 ./pki/crl.pem
The chmod may or may not be required depending one the user/group that openvpn runs under. The new CRL file will have owner-only permissions. You need to make sure openvpn can read it. Check the openvpn log for any errors related to the CRL file.

BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: Help needed in updating expired certs

Post by BobAGI » Thu Mar 09, 2023 2:55 pm

BobAGI wrote:
Thu Feb 23, 2023 3:42 pm
EDIT:
After disabling crl handling altogether in the conf files and restarting both services all is back in working order.
But also allowing the blocked clients access....
I have to check how to fix this later, maybe via a cron script that renews the list or such.
Final solution for blocking clients
I ended up blocking disallowed clients from access using entries in the ccd dir on the server.
This dir contains extra config for connecting clients and each is handled by a separate file named as the client Common Name.
Put this into such a file:

Code: Select all

#2023-02-25: This client is blocked from connecting
disable
This way the client is blocked from connecting and it is a simple way to manage it too.
Of course you must enable ccd use in the server.conf file:

Code: Select all

client-config-dir /etc/openvpn/ccdw

Post Reply