On 08-08-17 20:34, Xen wrote: > Mio Vlahović schreef op 08-08-2017 19:59: > >> Can anyone assist us on this one? I have googled and found something >> about CRL has expired error. Is it related with the upgrade of the >> openvpn package? we use one from the epel repository. > > You know a CRL is a certificate revocation list right. > > Being a layman for the rest of it, it means that your configuration uses > a CRL to begin with. A CRL is supposed to regularly issued and > containing a list of certificates that are no longer deemed trustworthy; > ie. client certificates that have been compromised. > > So you can do two things: renew your CRL, or remove it from the > configuration. > > I will let someone answer now who actually has something useful to say ;-).
That was quite useful, and accurate too. Of course, regularly refreshing the CRL is more elegant than just removing it from the config. Some context: as of openvpn 2.4, the CRL checking logic of the crypto library is used, instead of our own implementation. That logic is more strict than openvpn 2.3 was, and now rejects CRLs that have a nextUpdate value that lies in the past. So this is indeed related to upgrading from openvpn 2.3.x to 2.4.x. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
