Openvpn CRL with wrong expiration dates - how to fix?

solved
openvpn

#1

Continuing the discussion from TurrisOS 3.6.2 is out:

I now face exactly this problem.
How can I recreate the CRL with correct expiration dates? It seems like easyrsa is not used, so I wonder what the commands for the shell are.


Openvpn CRL Error
#2

I’ll found the solution and will reply to my own question:

The commands are:
turris-cagen switch openvpn
turris-cagen refresh

This will update the CRL. I found this by going through the code on Gitlab, I would says that this should not be necessary.


#3

Hello,

I missed an issue with the changes with the new opevpn version, which is that the CRLs expire now every 30 days by default.
This can be fixed in two ways:

  1. Change the /etc/cagen/openssl.cnf and change the expiry period:
    default_crl_days= 30 to something like 365, and renew the CRL with the commands above.
    But you still have to refresh the CRL each xxx days.

  2. Refresh the CRL with cron, for example every 15 days:
    5 3 */15 * * turris-cagen switch openvpn && turris-cagen refresh > /root/crl_refresh.log

Edit: corrected the openssl.cnf path to /etc/cagen


#4

Hi @hal2100,

As I said here, I think that if you use the commands above, you have to change the default_crl_days in /etc/cagen/openssl.cnf, not in /etc/ssl/openssl.cnf. If you change the value to 3650 you have 10 years until the next crl refresh. Also, I just used the refresh command, the switch command wasn’t needed as the refresh command Regenerates CRLs for all the CAs. Thank you for your original post, It helped me a lot!


#5

Ah yes, I missed the right configuration path. Thanks!

But I still believe using cron is better, as you should refresh your CRL periodically. Changing the expiry period just postpones the problem, although I would argue 10 years is quite save…