OpenVPN CRL has expired

less than 1 minute read

After upgrading to OpenVPN 2.4.0, I got the following error when trying to connect to OpenVPN:

TLS: Initial packet from [AF_INET]x.x.x.x:50263, sid=2bd2de7a bd6f8694
VERIFY ERROR: depth=0, error=CRL has expired: CN=louis
OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting

It appears that OpenVPN 2.4 doesn’t accept CRLs with a nextUpdate value that is in the past.

Fixing this issue is simple: regenerate the CRL.

I used EasyRSA to generate my CRL in the past, so I was able to fix it using these commands:

cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
systemctl restart openvpn


Leave a comment