My Linux Ubuntu OpenVPN server became unresponsive yesterday and when I looked in the log I found:
Code: Select all
217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US,....
217.31.190.108:63723 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Questions:
1) How to find which certificate has expired?
2) How to check the expiration of a certificate used by OpenVPN? Is there some command line function to do this?
3) Are client certs or server certs expiring like this?
4) Most important: How do I correct this? Can I routinely extend the life yearly or so?
5) Can I update something server side such that the client can again connect or do I need to generate new OVPN files too?
6) Are also other crypto files expiring?
I have about 10 clients issued logins for this server and I need to make sure they are not locked out.
How is that done? I.e. does the client OVPN file contain expiring certs too?
EDIT:
I got redirected to the solution via the mail list.
It turns out my problem was NOT a cert expiration at all, instead it was an expiration of the CRL (certificate revocation list) I introduced a month back to block old clients to connect.
This list itself has an expiration and if it does expire the complete server becomes blocked for all clients...
After disabling crl handling altogether in the conf files and restarting both services all is back in working order.
But also allowing the blocked clients access....
I have to check how to fix this later, maybe via a cron script that renews the list or such.