Hi, On Thu, Feb 23, 2023 at 04:10:08PM +0100, Bo Berglund wrote: > 217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723, > sid=863c9ad5 e9b05ce9 > 217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, > ST=TX, > L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, > emailAddress=*** > 217.31.190.108:63723 OpenSSL: error:1417C086:SSL > routines:tls_process_client_certificate:certificate verify failed
It's not actually the client cert that has expired (OpenVPN on the client would log a warning in this case, and the other server would also not accept the client) but the *CRL*. A CRL is a list of revoked clients, and the CRL itself has a "valid until" date, so systems are not relying on stale information (= because a CRL publishing pipeline failed silently). Unless you actually use a CRL to revoke client certs just remove all references to the CRL from your server config :-) - but if you use the CRL, you need to find out where it is (re-)created and make sure this happens often enough to avoid expiry. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users