openvpn: error=CRL has expired

After the former FreshPorts server was retired, its OpenVPN credential were revoked. I maintain those certificates via ssl-admin. I uploaded the new CRL into the System | Certificate Manager | Certificate Revocation page in pfSense.

Today, I was seeing strange errors in Nagios, and figured someone wasn’t connected to the VPN. Checking OpenVPN client logs, I found nothing. On the OpenVPN server, I found this message:

Oct 23 22:14:23 openvpn 11134 203.0.113.144:20690 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=PA, O=FreeBSD Diary HQ, CN=tallboy.example.org, emailAddress=dan@example.org, serial=94

But first, how did I get in without the VPN

I was not at home when this happened. I could not VPN into my own network.

I did this:

ssh -Ap 24612 -L 8443:localhost:8443 bastion.example.net

This is me, running ssh on my laptop to connect to my basement network at home.

  1. -A I am port forwarding my ssh-agent
  2. p 24612 ssh is connecting to this port on my server
  3. -L 8443:localhost:8443 ssh is forwarding local port 8443 to port 8443 on the host I am ssh-ing to
  4. bastion.example.net is the hostname of my network at home

How the DNS entry for bastion.example.net is maintained is outside scope.

After connecting to my host, I’m prompted for my 2FA code:

[air01 dvl ~] % ssh -Ap 24612 -L 8443:localhost:8443 bastion.example.net
(dvl@ bastion.example.net) Verification code: 
Last login: Sun Oct 23 21:40:48 2022 from pool-173-49-113-130.phlapa.fios.verizon.net
FreeBSD 13.1-RELEASE-p2 GENERIC

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).

There, I’m in. From there, I repeat the port forwarding to another host, then another host and I finally have port forwarding to my pfSense web interface from my web broswer via https://localhost:8443

Why so many port forwards? The jail I ssh into is intentionally restricted.

How to renew the CRL via ssl-admin

I can’t find a way to just renew the CRL. To get it done, I create a new cert and revoked it. This regenerated the CRL. Then I uploaded that into pfSense.

Hopefully my tweet or my issue will find an easier solution.

I might just bump up the default_crl_days value in openssl.conf

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

2 thoughts on “openvpn: error=CRL has expired”

  1. Hello Dan, I’m autoupdating crl (for OpenVPN and http client-cert CA) with following script:

    #!/bin/sh

    kdx=/usr/local/etc/ssl-admin
    a=$1
    kd=${a:-$kdx}

    KEY_CRL_LOC=./xxx.pem KEY_COUNTRY=pl KEY_CN=. KEY_EMAIL=. KEY_ORG=. KEY_PROVINCE=. KEY_CITY=. KEY_SIZE=4096 KEY_DAYS=365 \
    KEY_DIR=$kd \
    openssl ca -gencrl -out $kd/prog/crl.pem -config $kd/openssl.conf

    echo kill -HUP `cat /var/run/spoon/proxy.pid`

  2. That worked for me today.

    I changed default_crl_days in /usr/local/etc/ssl-admin/openssl.conf from 30 to 3650 so I don’t have to do this again until 2032 – or until I revoke another cert, which does not happen often.

Leave a Comment