Hi, On Thu, Feb 23, 2023 at 04:10:08PM +0100, Bo Berglund wrote: > 217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723, > sid=863c9ad5 e9b05ce9 > 217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, > ST=TX, > L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, > emailAddress=*** > 217.31.190.108:63723 OpenSSL: error:1417C086:SSL > routines:tls_process_client_certificate:certificate verify failed
It's not actually the client cert that has expired (OpenVPN on the
client would log a warning in this case, and the other server would
also not accept the client) but the *CRL*.
A CRL is a list of revoked clients, and the CRL itself has a "valid until"
date, so systems are not relying on stale information (= because a
CRL publishing pipeline failed silently).
Unless you actually use a CRL to revoke client certs just remove
all references to the CRL from your server config :-) - but if you
use the CRL, you need to find out where it is (re-)created and
make sure this happens often enough to avoid expiry.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
