OpenVPN - Renew CRL

  • In the last days I've lost the ability to connect to my OMV (4.1.20-1) trough OpenVPN (4.0.3)... and I didn't understand why, so I went looking for the log and ...


    -------------------------------------------------------------------------------------------------------------------------------
    Tue Mar 26 00:00:35 2019 XXX.63.25.XXX:61921 VERIFY ERROR: depth=0, error=CRL has expired: CN=...
    -------------------------------------------------------------------------------------------------------------------------------


    Checking the certificate with: "openssl crl -in /etc/openvpn/pki/crl.pem -text" I get:


    --------------------------------------------------------------------------
    Certificate Revocation List (CRL):
    Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: /CN=ChangeMe
    Last Update: Sep 16 10:43:52 2018 GMT
    Next Update: Mar 15 10:43:52 2019 GMT
    CRL extensions:
    X509v3 Authority Key Identifier:
    --------------------------------------------------------------------------


    ?( My question is, what is the procedure to renew the certificate in OMV? ?(

  • I found a way to renew the crl.pem without reinstall de plugin.


    Bash
    cd /etc/openvpn
    /opt/EasyRSA-3.0.3/easyrsa gen-crl #Note: EasyRSA folder may variate between versions
    service openvpn restart
  • This worked for me too!


    I noticed /opt/EasyRSA-3.0.3/openssl-1.0.cnf holds the following variables:


    default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
    default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL


    Does anyone know where to access/change these variables?

  • I used the following steps:


    Bash
    export EASYRSA_CERT_EXPIRE=3650
    export EASYRSA_CRL_DAYS=3650
    cd /etc/openvpn/
    sudo -E /opt/EasyRSA-3.0.3/easyrsa gen-crl
    sudo service openvpn restart


    Use the following command to check whether this was successful (check the "Next Update" date):



    Bash
    sudo openssl crl -in /etc/openvpn/pki/crl.pem -text

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!