You are not logged in.

#1 2017-07-16 18:59:04

freaks
Member
Registered: 2010-11-10
Posts: 63

Openvpn easy rsa renew certificate

hello

i have this message in my openvpn server log :

VERIFY ERROR: depth=0, error=CRL has expired: CN=client

OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 TLS Error: TLS object -> incoming plaintext read error
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 TLS Error: TLS handshake failed
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 SIGUSR1[soft,tls-error] received, client-instance restarting

i must renew my certificate ?
but i don't understand how to do this with easy rsa

i use this script : https://github.com/Angristan/OpenVPN-install

thanks

Last edited by freaks (2017-07-16 19:04:46)

Offline

#2 2017-07-16 19:14:00

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Openvpn easy rsa renew certificate

Have you tried our wiki?  Random guides/blogs etc. are a poor source of reliable information in general.

Last edited by graysky (2017-07-16 19:30:37)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2017-07-16 19:56:38

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Openvpn easy rsa renew certificate

The Certificate Revocation List has expired, rather than a certificate.

Offline

#4 2017-07-16 19:57:13

freaks
Member
Registered: 2010-11-10
Posts: 63

Re: Openvpn easy rsa renew certificate

yes i tried the wiki
https://wiki.archlinux.org/index.php/Easy-RSA
but no information about renew certificate ...

the script execute this commands for generating the certificate

cd /etc/openvpn/easy-rsa/
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
openssl dhparam $DH_KEY_SIZE -out dh.pem
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl
# generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
# Move all the generated files
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem

Offline

#5 2017-07-16 20:09:21

freaks
Member
Registered: 2010-11-10
Posts: 63

Re: Openvpn easy rsa renew certificate

brebs wrote:

The Certificate Revocation List has expired, rather than a certificate.

ok the solution is here :

https://u5r.nl/post/openvpn-crl-has-expired


cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem

and start server

Last edited by freaks (2017-07-16 20:18:04)

Offline

Board footer

Powered by FluxBB