OpenVPN CRL has expired
After upgrading to OpenVPN 2.4.0, I ran in to a connecting issue with my OpenVPN server: I was getting the error “OpenVPN CRL has expired”.
Here is a sample error snippet.
Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS: Initial packet from [AF_INET]x.x.x.x:63594, sid=e40c4184 43714d2a
Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 VERIFY ERROR: depth=0, error=CRL has expired: CN=servername
Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS_ERROR: BIO read tls_read_plaintext error Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS Error: TLS object -> incoming plaintext read error
Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 TLS Error: TLS handshake failed Aug 16 17:30:42 server openvpn[29505]: x.x.x.x:63594 SIGUSR1[soft,tls-error] received, client-instance restarting [root@server ~]#
In order to fix the issue, we just need to recreate the crl.pem file. I would suggest to backup the current crl.pem file before creating a new one. In my case, the location of the crl.pem file was at /etc/openvpn/.
To backup crl.pem file,run the following command
mv crl.pem crl.pem.back
I have used EasyRSA to generate CRL in the past, so I was able to fix it by using the following commands.
Change working directory to easy-rsa
cd easy-rsa
then run
./easyrsa gen-crl
Now you will see the location of the newly created crl file. we are going to copy this file to /etc/openvpn (Make sure you use the exact file location to copy from)
cd.. cp -pr /etc/openvpn/easy-rsa/pki/crl.pem .
Finally restart openvpn service
service openvpn restart
Exactly what I was looking for. Works perfectly! Thanks!
Great,thanks!
Works like a charm! Thanks
Make a more new posts please 🙂
___
Sanny