OpenVPN - Renew CRL

  • In the last days I've lost the ability to connect to my OMV (4.1.20-1) trough OpenVPN (4.0.3)... and I didn't understand why, so I went looking for the log and ...


    -------------------------------------------------------------------------------------------------------------------------------
    Tue Mar 26 00:00:35 2019 XXX.63.25.XXX:61921 VERIFY ERROR: depth=0, error=CRL has expired: CN=...
    -------------------------------------------------------------------------------------------------------------------------------


    Checking the certificate with: "openssl crl -in /etc/openvpn/pki/crl.pem -text" I get:


    --------------------------------------------------------------------------
    Certificate Revocation List (CRL):
    Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: /CN=ChangeMe
    Last Update: Sep 16 10:43:52 2018 GMT
    Next Update: Mar 15 10:43:52 2019 GMT
    CRL extensions:
    X509v3 Authority Key Identifier:
    --------------------------------------------------------------------------


    ?( My question is, what is the procedure to renew the certificate in OMV? ?(

  • solved.... not by renew ... but ... it worked...


    1. Remove plugin openvpn
    2. delete the directory "/etc/openvpn/"
    3. install plugin openvpn
    4. configure plugin


    and it should work again...

  • I found a way to renew the crl.pem without reinstall de plugin.


    Bash
    cd /etc/openvpn
    /opt/EasyRSA-3.0.3/easyrsa gen-crl #Note: EasyRSA folder may variate between versions
    service openvpn restart
  • This worked for me too!


    I noticed /opt/EasyRSA-3.0.3/openssl-1.0.cnf holds the following variables:


    default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
    default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL


    Does anyone know where to access/change these variables?

  • I used the following steps:


    Bash
    export EASYRSA_CERT_EXPIRE=3650
    export EASYRSA_CRL_DAYS=3650
    cd /etc/openvpn/
    sudo -E /opt/EasyRSA-3.0.3/easyrsa gen-crl
    sudo service openvpn restart


    Use the following command to check whether this was successful (check the "Next Update" date):



    Bash
    sudo openssl crl -in /etc/openvpn/pki/crl.pem -text
  • I logged in to thank you karlkarlsen123 for posting your simple and elegant solution, as no conf file was needed to be edited etc.

    I was abroad and after a specific date I realised I could not reconnect from my MacBook to my home OMV and got puzzled as to what has happened... I was getting client-side an error "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" but eventually the official page didn't offer much help to my situation.


    The error registered in openvpn.log was found later to be:

    Code
    Tue Sep 01 22:29:52 2020 X.X.X.X:49638 VERIFY ERROR: depth=0, error=CRL has expired: CN=Konsti
    Tue Sep 01 22:29:52 2020 X.X.X.X:49638 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Tue Sep 01 22:29:52 2020 X.X.X.X:49638 TLS_ERROR: BIO read tls_read_plaintext error
    Tue Sep 01 22:29:52 2020 X.X.X.X:49638 TLS Error: TLS object -> incoming plaintext read error
    Tue Sep 01 22:29:52 2020 X.X.X.X:49638 TLS Error: TLS handshake failed

    Your post helped me resolve the issue, many warm thanks!

    I used the following steps:

    Bash
    export EASYRSA_CERT_EXPIRE=3650
    export EASYRSA_CRL_DAYS=3650
    cd /etc/openvpn/
    sudo -E /opt/EasyRSA-3.0.3/easyrsa gen-crl
    sudo service openvpn restart


    Use the following command to check whether this was successful (check the "Next Update" date):

    Bash
    sudo openssl crl -in /etc/openvpn/pki/crl.pem -text

    Your solution worked and I could now reconnect just fine with Tunnelblick on MacOS.


    Finally, I would strongly advise anyone installing a fresh OpenVPN client to directly do this 10-year regeneration of the certificate, before deploying to VPN clients, to avoid unpleasant surprises 6 months later...

    OpenMediaVault 6.9.13-1 • Intel NUC NUC6CAYH • Intel Celeron J3455 • 2x4GB RAM • Samsung 870 QVO 4TB • USB Boot (System)

    Einmal editiert, zuletzt von Konsti ()

  • Hi tinh_x7 not sure if you found a solution. Here's my settings screen for your visual assistance.

    At the bottom where it says "Public address" I have entered my registered DuckDNS.org dynamic domain.


    OpenMediaVault 6.9.13-1 • Intel NUC NUC6CAYH • Intel Celeron J3455 • 2x4GB RAM • Samsung 870 QVO 4TB • USB Boot (System)

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!