Hi, On Mon, 02 Jan 2017 08:11:05 +0200 Kertesz Laszlo <[email protected]> wrote: > Package: openvpn > Version: 2.4.0-3 > Severity: important > > Since version 2.4 appeared in Testing clients cannot connect to my openvpn > servers > (i have 2 running on my desktop). > They are working fine if i downgrade to 2.3.11, but 2.4 versions seem to > treat > all certificates as expired if crl-verify is enabled. > I checked all certificates and are valid until 2021-2026. > > Commenting out the crl-verify line from the server config will make it work, > but > i have revoked certificates and without this option those certificates will > be > allowed to connect.
OpenVPN 2.4 no longer accepts CRLs who's nextUpdate field lies in the past. Please carefully look at the error message OpenVPN gives: > Mon Jan 2 07:37:10 2017 us=466023 1.2.3.4:36241 VERIFY ERROR: depth=0, > error=CRL has expired: C=XX, ST=XX, L=XXX, O=None, CN=mycn, > emailAddress=my@email It says 'CRL has expired' (not 'client cert has expired'). To make your server accept connections again, regenerate the CRL. If you don't want you CRL to expire, make sure the nextUpdate value is at least as far in the future as your CA expiry date is. -Steffan
