Continuing the discussion from TurrisOS 3.6.2 is out:
I now face exactly this problem.
How can I recreate the CRL with correct expiration dates? It seems like easyrsa is not used, so I wonder what the commands for the shell are.
I’ll found the solution and will reply to my own question:
The commands are:
turris-cagen switch openvpn
turris-cagen refresh
This will update the CRL. I found this by going through the code on Gitlab, I would says that this should not be necessary.
4 Likes
Hello,
I missed an issue with the changes with the new opevpn version, which is that the CRLs expire now every 30 days by default.
This can be fixed in two ways:
-
Change the /etc/cagen/openssl.cnf and change the expiry period:
default_crl_days= 30 to something like 365, and renew the CRL with the commands above.
But you still have to refresh the CRL each xxx days. -
Refresh the CRL with cron, for example every 15 days:
5 3 */15 * * turris-cagen switch openvpn && turris-cagen refresh > /root/crl_refresh.log
Edit: corrected the openssl.cnf path to /etc/cagen
Hi @hal2100,
As I said here, I think that if you use the commands above, you have to change the default_crl_days in /etc/cagen/openssl.cnf, not in /etc/ssl/openssl.cnf. If you change the value to 3650 you have 10 years until the next crl refresh. Also, I just used the refresh command, the switch command wasn’t needed as the refresh command Regenerates CRLs for all the CAs. Thank you for your original post, It helped me a lot!
Ah yes, I missed the right configuration path. Thanks!
But I still believe using cron is better, as you should refresh your CRL periodically. Changing the expiry period just postpones the problem, although I would argue 10 years is quite save…