-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
------- Original Message ------- On Friday, February 24th, 2023 at 22:11, Bo Berglund <bo.bergl...@gmail.com> wrote: > On Fri, 24 Feb 2023 11:05:57 +0100, Gert Doering g...@greenie.muc.de wrote: > > > Hi, > > > > On Fri, Feb 24, 2023 at 10:58:06AM +0100, Bo Berglund wrote: > > > > > And why is there an expiration of the crl file to begin with? > > > > I explained that, but that mail seems to have been lost - it's because > > the assumption of the security folks (outside OpenVPN control) is that > > if you have a CRL, you want that CRL to be up-to-date at all times. > > > > The assumption is "if something in the CRL producing process fails, and > > no new CRL can be generated, better assume that everything should be > > disallowed than let someone unauthorized in". > > > So that would mean that I have to basically: > > - Symlink the crl file to the /etc/openvpn/keys dir: > sudo ln -sf /usr/local/share/openvpn/easy-rsa/keys/crl.pem > /etc/openvpn/keys/crl.pem > - Create a script that refreshes the crl file > - Run that from cron at an interval that is less than the expire time > > However, I have not seen a command to actually refresh the crl.pem file just > to add new revoked client... > > The script to "refresh" the crl.pem file: > > ----------- > #!/bin/bash > cd /usr/local/share/openvpn/easy-rsa > source vars > ./revoke-full <what do I put here to just refresh the pem file?> > > exit 0 > ----------- > > I tried "revoke-full" without argument but it showed an error... > > Is there an openssl command to just refresh the file's expire date? > > I tried to read the expire date of the pem file like I can a crt file but > failed, is there a command to do so? > > The problem you have is as follows: EasyRSA version 2 will automatically build a new CRL but ONLY when you use 'revoke-full'. Then you have a fixed CRL, which EasyRSA v2 will not update, unless you revoke another certificate. That is no longer suitable for use with OpenVPN because the under lying SSL library checks for a validation date in the CRL, which it did NOT do when easyrsa-v2 was created. So, either upgrade to EasyRSA-v3, please. Otherwise, you will have to use OpenSSL command directly, to create a new CRL. You can look in the EasyRSA source code v2 or v3 for the appropriate SSL layer command. Regards Richard -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBQJj+WSMCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAA5lwf+JGNsxoI8COvdN8iGMbhhE4Vczz3grGFr3xYX/PDkWXEpqlRi DPS+uuAtYAE59usTjYFB+4JfGKbmMFYdGAOKnL11Iq8TXO9f1P8wIVx1SNfb BSnKDHC2YKLrHV75kxbAFN3JyhOYE6DIbDPkYAfGFCm3sK63LmJF1a2n0KhN qsEMruRWU5M+51v9BuWYxO1mEqi2tJ6juZLFgDPFstKcH8tgbv59KeTgnBwW lWXH8LoGF0WTMBSSGh6sMN46kuN3zfR9vrm9++WwD2O9DaL5woMCDJ2GN6+c qzB7hbfeE/rJZdSAhKZ925UH8R4CJQ+DGiovwQ/HlyK0pNFINBQfog== =G6f2 -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
