Thursday, August 24, 2017

OpenVPN error CRL has expired

I have webmin and openvpn installed.

After an upgrade to openvpn and openssl I recreated certificates and after a bit I got the following error:

error=CRL has expired

I couldn't see how to regenerate the required files in webmin, and on the commandline it kept throwing errors. I did not have easy-rsa installed.

There is some guidance on this eg here:

https://forums.openvpn.net/viewtopic.php?t=23166

https://u5r.nl/post/openvpn-crl-has-expired

However, this doesn't help too much. What I did was this open this:

/etc/openvpn/openvpn-ssl.cnf

Modify this line to something longer eg 365

default_crl_days= 30            # how long before next CRL


Add the following details from:

/etc/openvpn/keys/your-server/ca.config

to the to openvpn-ssl.cnf file:

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# From here
CA_NAME='your-server'
CA_EXPIRE='3650'
KEY_SIZE='2048'
KEY_CONFIG='/etc/openvpn/openvpn-ssl.cnf'
KEY_DIR='/etc/openvpn/keys/your-server'
KEY_COUNTRY='AA'
KEY_PROVINCE='Province'
KEY_CITY='City'
KEY_ORG='Org'
KEY_EMAIL='email@gmail.com'

KEY_OU='OU'
KEY_CN='CN'
# To here


Now cd /etc/openvpn

openssl ca  -gencrl -keyfile keys/your-server/ca.key -cert keys/your-server/ca.crt  -out keys/your-server/crl.pem -config ./openvpn-ssl.cnf

Restart Openvpn and you should be good to go until the crl_days expire


1 comment: