On 08-08-17 20:34, Xen wrote:
> Mio Vlahović schreef op 08-08-2017 19:59:
>> Can anyone assist us on this one? I have googled and found something
>> about CRL has expired error. Is it related with the upgrade of the
>> openvpn package? we use one from the epel repository.
> You know a CRL is a certificate revocation list right.
> Being a layman for the rest of it, it means that your configuration uses
> a CRL to begin with. A CRL is supposed to regularly issued and
> containing a list of certificates that are no longer deemed trustworthy;
> ie. client certificates that have been compromised.
> So you can do two things: renew your CRL, or remove it from the
> configuration.
> I will let someone answer now who actually has something useful to say ;-).

That was quite useful, and accurate too.  Of course, regularly
refreshing the CRL is more elegant than just removing it from the config.

Some context:  as of openvpn 2.4, the CRL checking logic of the crypto
library is used, instead of our own implementation.  That logic is more
strict than openvpn 2.3 was, and now rejects CRLs that have a nextUpdate
value that lies in the past.  So this is indeed related to upgrading
from openvpn 2.3.x to 2.4.x.


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-users mailing list

Reply via email to