OpenVPN CRL has expired

OpenVPN CRL has expired

After upgrading to OpenVPN 2.4.0, I ran in to a connecting issue with my  OpenVPN server: I was getting the error “OpenVPN CRL has expired”.

Here is a sample error snippet.

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS: Initial packet from [AF_INET]x.x.x.x:63594, sid=e40c4184 43714d2a

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 VERIFY ERROR: depth=0, error=CRL has expired: CN=servername

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS_ERROR: BIO read tls_read_plaintext error Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS Error: TLS object -> incoming plaintext read error

Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS Error: TLS handshake failed Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 SIGUSR1[soft,tls-error] received, client-instance restarting [[email protected] ~]#

In order to fix the issue, we just need to recreate the crl.pem file. I would suggest to backup the current crl.pem file before creating a new one. In my case, the location of the  crl.pem file was at /etc/openvpn/.

To backup crl.pem file,run the following command

I have used EasyRSA to generate CRL in the past, so I was able to fix it by using the following commands.

Change working directory to easy-rsa

then run

Now you will see the location of the newly created crl file. we are going to copy this file to /etc/openvpn (Make sure you use the exact file location to copy from)

Finally restart openvpn service

Posts created 4

6 thoughts on “OpenVPN CRL has expired

  1. I must express my passion for your generosity in support of those people who absolutely need guidance on that subject matter. Your real commitment to passing the message along appears to be astonishingly beneficial and have constantly enabled workers much like me to reach their goals. Your warm and friendly guideline means a whole lot a person like me and a whole lot more to my office colleagues. Thanks a ton; from all of us.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top