You are not logged in.
- Topics: Active | Unanswered
#1 2017-07-16 18:59:04
- freaks
- Member
- Registered: 2010-11-10
- Posts: 63
Openvpn easy rsa renew certificate
hello
i have this message in my openvpn server log :
VERIFY ERROR: depth=0, error=CRL has expired: CN=client
OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 TLS Error: TLS object -> incoming plaintext read error
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 TLS Error: TLS handshake failed
Sun Jul 16 21:01:52 2017 192.168.0.1:47386 SIGUSR1[soft,tls-error] received, client-instance restarting
i must renew my certificate ?
but i don't understand how to do this with easy rsa
i use this script : https://github.com/Angristan/OpenVPN-install
thanks
Last edited by freaks (2017-07-16 19:04:46)
Offline
#2 2017-07-16 19:14:00
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,691
- Website
Re: Openvpn easy rsa renew certificate
Have you tried our wiki? Random guides/blogs etc. are a poor source of reliable information in general.
Last edited by graysky (2017-07-16 19:30:37)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2017-07-16 19:56:38
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Openvpn easy rsa renew certificate
The Certificate Revocation List has expired, rather than a certificate.
Offline
#4 2017-07-16 19:57:13
- freaks
- Member
- Registered: 2010-11-10
- Posts: 63
Re: Openvpn easy rsa renew certificate
yes i tried the wiki
https://wiki.archlinux.org/index.php/Easy-RSA
but no information about renew certificate ...
the script execute this commands for generating the certificate
cd /etc/openvpn/easy-rsa/
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
openssl dhparam $DH_KEY_SIZE -out dh.pem
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl
# generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
# Move all the generated files
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem
Offline
#5 2017-07-16 20:09:21
- freaks
- Member
- Registered: 2010-11-10
- Posts: 63
Re: Openvpn easy rsa renew certificate
The Certificate Revocation List has expired, rather than a certificate.
ok the solution is here :
https://u5r.nl/post/openvpn-crl-has-expired
cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
and start server
Last edited by freaks (2017-07-16 20:18:04)
Offline