On 23/02/2023 17:43, Bo Berglund wrote:
On Thu, 23 Feb 2023 15:36:48 +0000, tincantech via Openvpn-users
<openvpn-users@lists.sourceforge.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
------- Original Message -------
On Thursday, February 23rd, 2023 at 15:10, Bo Berglund <bo.bergl...@gmail.com>
wrote:
When I first try (and fail) to connect then go in via the other server to read
the log I find this:
217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723,
sid=863c9ad5 e9b05ce9
217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=TX,
L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, emailAddress=***
Your CRL (certificate revocation list) has expired.
If you use Easy-rsa (https://github.com/OpenVPN/easy-rsa) then you can build a
new
CRL with:
easyrsa gen-crl
This builds a new CRL which is valid for 180 days. You can configure the
validity
period with option --days:
easyrsa --days=365 gen-crl
You can also get advanced warning of expiring certificates with:
easyrsa show-expire
The default is 90 days but that can also be configured via option --days
Hope that helps.
Most definitely! Thank you very much!
Some time ago (Jan 22, 2023) I added the crl handling to the server to lock out
logins of people that have stopped working here. That part worked fine.
But I had no idea that this was a time limited block and that after a month
*everyone* would be locked out even if they were not added to the list.
I have now commented out the crl line on the two server conf files and restarted
both services and now connection is working again!
You can consider alternative approaches. The --crl-verify can be
pointed at a directory instead, and then give the keyword 'dir' as the
second argument. Then you can create an empty file in that directory
with the serial number of the certificate which was revoked.
Or you can use --client-config-dir together with --ccd-exclusive. Only
clients which has a file in the --client-config-dir directory with the
same name as an escaped certificate CN value will be allowed to connect.
If the certificate has "CN = John Doe", the filename would need to be
"John_Doe".
You can also explicitly disable clients this way with client-config-dir
by adding the option "disable" inside such a CCD config file.
Then you have a few possibilities via the --tls-verify and
--client-connect script hooks as well.
Meanwhile I checked my server certs and they expire in 2027, so this was not
really an expiration issue at all!
Questions:
Can I extend the expiration time of my server and the cleints too before actual
expiration such that this will not happen on Oct 24, 2027?
Yes, you can issue new certificates using *the same* private and public
keys (essentially re-using the CSR). This will issue a new certificate
with a new expiry date. Since the certificate and CA is the same, it
just works as before.
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
