On Thu, 23 Feb 2023 15:36:48 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hi, > >------- Original Message ------- >On Thursday, February 23rd, 2023 at 15:10, Bo Berglund <bo.bergl...@gmail.com> >wrote: > > >> When I first try (and fail) to connect then go in via the other server to >> read >> the log I find this: >> >> 217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723, >> sid=863c9ad5 e9b05ce9 >> 217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, >> ST=TX, >> L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, >> emailAddress=*** > >Your CRL (certificate revocation list) has expired. > >If you use Easy-rsa (https://github.com/OpenVPN/easy-rsa) then you can build a >new >CRL with: > > easyrsa gen-crl > >This builds a new CRL which is valid for 180 days. You can configure the >validity >period with option --days: > > easyrsa --days=365 gen-crl > >You can also get advanced warning of expiring certificates with: > > easyrsa show-expire > >The default is 90 days but that can also be configured via option --days > >Hope that helps. > Most definitely! Thank you very much! Some time ago (Jan 22, 2023) I added the crl handling to the server to lock out logins of people that have stopped working here. That part worked fine. But I had no idea that this was a time limited block and that after a month *everyone* would be locked out even if they were not added to the list. I have now commented out the crl line on the two server conf files and restarted both services and now connection is working again! Meanwhile I checked my server certs and they expire in 2027, so this was not really an expiration issue at all! Questions: Can I extend the expiration time of my server and the cleints too before actual expiration such that this will not happen on Oct 24, 2027? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
