Openvpn CRL with wrong expiration dates - how to fix?

hal2100 · 2019-02-06 09:18:20 UTC

Continuing the discussion from TurrisOS 3.6.2 is out:

I now face exactly this problem.
How can I recreate the CRL with correct expiration dates? It seems like easyrsa is not used, so I wonder what the commands for the shell are.

hal2100 · 2019-02-06 09:28:27 UTC

I’ll found the solution and will reply to my own question:

The commands are:
turris-cagen switch openvpn
turris-cagen refresh

This will update the CRL. I found this by going through the code on Gitlab, I would says that this should not be necessary.

hal2100 · 2019-03-11 09:56:56 UTC

Hello,

I missed an issue with the changes with the new opevpn version, which is that the CRLs expire now every 30 days by default.
This can be fixed in two ways:

Change the /etc/cagen/openssl.cnf and change the expiry period:
default_crl_days= 30 to something like 365, and renew the CRL with the commands above.
But you still have to refresh the CRL each xxx days.
Refresh the CRL with cron, for example every 15 days:
5 3 */15 * * turris-cagen switch openvpn && turris-cagen refresh > /root/crl_refresh.log

Edit: corrected the openssl.cnf path to /etc/cagen

guinhas · 2019-03-11 11:04:31 UTC

Hi @hal2100,

As I said here, I think that if you use the commands above, you have to change the default_crl_days in /etc/cagen/openssl.cnf, not in /etc/ssl/openssl.cnf. If you change the value to 3650 you have 10 years until the next crl refresh. Also, I just used the refresh command, the switch command wasn’t needed as the refresh command Regenerates CRLs for all the CAs. Thank you for your original post, It helped me a lot!

hal2100 · 2019-03-11 13:28:50 UTC

Ah yes, I missed the right configuration path. Thanks!

But I still believe using cron is better, as you should refresh your CRL periodically. Changing the expiry period just postpones the problem, although I would argue 10 years is quite save…