I have webmin and openvpn installed.
After an upgrade to openvpn and openssl I recreated certificates and after a bit I got the following error:
error=CRL has expired
I couldn't see how to regenerate the required files in webmin, and on
the commandline it kept throwing errors. I did not have easy-rsa installed.
There is some guidance on this eg here:
https://forums.openvpn.net/viewtopic.php?t=23166
https://u5r.nl/post/openvpn-crl-has-expired
However, this doesn't help too much. What I did was this open this:
/etc/openvpn/openvpn-ssl.cnf
Modify this line to something longer eg 365
default_crl_days= 30 # how long before next CRL
Add the following details from:
/etc/openvpn/keys/your-server/ca.config
to the to openvpn-ssl.cnf file:
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# From here
CA_NAME='your-server'
CA_EXPIRE='3650'
KEY_SIZE='2048'
KEY_CONFIG='/etc/openvpn/openvpn-ssl.cnf'
KEY_DIR='/etc/openvpn/keys/your-server'
KEY_COUNTRY='AA'
KEY_PROVINCE='Province'
KEY_CITY='City'
KEY_ORG='Org'
KEY_EMAIL='email@gmail.com'
KEY_OU='OU'
KEY_CN='CN'
# To here
Now cd /etc/openvpn
openssl ca -gencrl -keyfile keys/your-server/ca.key -cert keys/your-server/ca.crt -out keys/your-server/crl.pem -config ./openvpn-ssl.cnf
Restart Openvpn and you should be good to go until the crl_days expire
Very useful, thanks!!!
ReplyDelete