As was discussed in the thread: "How to check if OpenVPN server is working properly?":
in a reply by tincantech: >Your CRL (certificate revocation list) has expired. > >If you use Easy-rsa (https://github.com/OpenVPN/easy-rsa) then you can build a >new >CRL with: > > easyrsa gen-crl > >This builds a new CRL which is valid for 180 days. You can configure the >validity >period with option --days: > > easyrsa --days=365 gen-crl > >You can also get advanced warning of expiring certificates with: > > easyrsa show-expire > >The default is 90 days but that can also be configured via option --days > So my recent total lockdown of user logins to my OpenVPN server was due to some kind of timeout (after 30 days or so) for the crl checking by the server when a login request arrives. No logins were accepted at all... I had used the easy-rsa2 command: revoke-full <CN of login user> in order to create the crl file, which I then copied to the server directory and added this line to the service conf file: crl-verify path-to/crl.pem and it appeared to work fine, except after a month no-one could log in anymore. After I commented out the server.conf file line and restarted the service all was working again, but now without the ban on the selected logins... When I tried to figure out where the crl expiration is set I have failed to find the proper command using easy-rsa2. The easy-rsa2 script revoke-full has this where the actual file creation is done: CRL="crl.pem" RT="revoke-test.pem" ... # revoke key and generate a new CRL $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" # generate a new CRL -- try to be compatible with # intermediate PKIs $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" if [ -e export-ca.crt ]; then cat export-ca.crt "$CRL" >"$RT" else cat ca.crt "$CRL" >"$RT" fi ... In fact the timeout seems not to be mentioned in the OpenVPN documentation: https://openvpn.net/community-resources/revoking-certificates/ And I cannot find anywhere an expiration in the openvpn server.conf file either. Is it only possible using easy-rsa3? Or can I use openssl somehow? And why is there an expiration of the crl file to begin with? In my view the banned logins should be forever banned and expiration of other logins controlled by their individual validity... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
