Hi,

On Thu, Feb 23, 2023 at 04:10:08PM +0100, Bo Berglund wrote:
> 217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723,
> sid=863c9ad5 e9b05ce9
> 217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, 
> ST=TX,
> L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, 
> emailAddress=***
> 217.31.190.108:63723 OpenSSL: error:1417C086:SSL
> routines:tls_process_client_certificate:certificate verify failed

It's not actually the client cert that has expired (OpenVPN on the
client would log a warning in this case, and the other server would
also not accept the client) but the *CRL*.

A CRL is a list of revoked clients, and the CRL itself has a "valid until"
date, so systems are not relying on stale information (= because a 
CRL publishing pipeline failed silently).

Unless you actually use a CRL to revoke client certs just remove
all references to the CRL from your server config :-) - but if you
use the CRL, you need to find out where it is (re-)created and
make sure this happens often enough to avoid expiry.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to