3

If the error "VERIFY ERROR: depth=0, error=CRL has expired" is received when a client attempts to connect to the OpenVPN server, it can be fixed as follows:

cd /etc/openvpn/easy-rsa
easyrsa gen-crl

Should result in:

[root@vpnserver easy-rsa]# easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1m  14 Dec 2021
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-390.asdf/tmp.qwer

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

It should now be able to connect again.

However, how do you generate a CRL that has a longer expiration, like several years?

Zoredache
  • 130,897
  • 41
  • 276
  • 420
AlphaCentauri
  • 141
  • 1
  • 7
  • 2
    If you are going to set it to several years, you might as well just disable checking it. If you have compromised certs you want things to notice that quickly, which wouldn't happen if your CRL is only updated every few years. – Zoredache Jul 19 '22 at 20:09

1 Answers1

1

https://easy-rsa.readthedocs.io/en/latest/advanced/

EASYRSA_CRL_DAYS (CLI: --days) - set the CRL 'next publish' time in days

So set a value that you like better. But I think you would be far better served by finding a way to automate generating and deploying the CRL, than significantly increasing this value.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
Zoredache
  • 130,897
  • 41
  • 276
  • 420