OpenVPN CRL has expired

After upgrading to OpenVPN 2.4.0, I ran in to a connecting issue with my  OpenVPN server: I was getting the error “OpenVPN CRL has expired”.

Here is a sample error snippet.

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS: Initial packet from [AF_INET]x.x.x.x:63594, sid=e40c4184 43714d2a

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 VERIFY ERROR: depth=0, error=CRL has expired: CN=servername

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS_ERROR: BIO read tls_read_plaintext error Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS Error: TLS object -> incoming plaintext read error

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS Error: TLS handshake failed Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 SIGUSR1[soft,tls-error] received, client-instance restarting [root@server ~]#

In order to fix the issue, we just need to recreate the crl.pem file. I would suggest to backup the current crl.pem file before creating a new one. In my case, the location of the  crl.pem file was at /etc/openvpn/.

To backup crl.pem file,run the following command

mv crl.pem crl.pem.back

I have used EasyRSA to generate CRL in the past, so I was able to fix it by using the following commands.

Change working directory to easy-rsa

cd easy-rsa

then run

./easyrsa gen-crl

Now you will see the location of the newly created crl file. we are going to copy this file to /etc/openvpn (Make sure you use the exact file location to copy from)

cd..
cp -pr /etc/openvpn/easy-rsa/pki/crl.pem .

Finally restart openvpn service

service openvpn restart

4 thoughts on “OpenVPN CRL has expired

Leave a Reply

Your email address will not be published. Required fields are marked *