khariV's picture

I have a turnkey OpenVPN vm (Virtualbox on local ubuntu server) running for a couple of months now with no problem.  It is a small installation used by a grand total of two people.

As of yesterday, clients can no longer connect. I tried using the IOS client as well as Tunnelblick on MacOS.

When I look into the syslog, I see the error:

VERIFY ERROR: depth=0, error=CRL has expired


A websearch on openvpn troubleshooting indicates that I need to use easyrsa to regen the crl using the command:

./easyrsa gen-crl

The problem is that, while I see the easy-rsa directory under /etc/openvpn/easy-rsa, there is no easyrsa script that I can use to do this. I do have a crl.pem in the easy-rsa/keys/crl.jail directory.


So, a couple of questions here. 

1. Am I on the right track in needing to regen the crl.pem?  

2. If 1 is correct, HOW do I regen it without the easyrsa script?

3. Why did the CRL expire and what can I do to keep it from expiring again?



Jeremy Davis's picture

TBH, I'm not particularly familiar with OpenVPN, but I have been involved in testing and maintaining the OpenVPN applaince, so hopefully I can be of some assistance.

FWIW, we use the Easy-RSA package from the Debian repos. That doesn't include the specific easy-rsa script and instead leverages OpenSSL itself to generate the certificates and keys.

After a little googling and reading, I think I have the answer. However, during my research, I note that by default, the CRL will expire in 30 days. I think that is why this has occurred and I suggest that 30 days is too short.

FWIW I've opened an issue regarding that on our issue tracker. As hinted in that issue, you can adjust the timeout by adjusting the value of default_crl_days (in /etc/openvpn/easy-rsa/openssl.cnf, which in current TurnKey app should be a symlink to /etc/openvpn/easy-rsa/openssl-1.0.0.cnf). 10 years seems like a popular default, so you may be happy to run with that. IMO, that's a bit too long, but YMMV. I guess it depends on the context of your VPN usage?!

So if you wish to adjust how long the new CRL you are about to generate lives for, please do that first, then this should hopefully do the trick for you:

cd /etc/openvpn/easy-rsa
source vars
openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.jail/crl.pem -config ./openssl.cnf

(updated to include missing source of vars file)

khariV's picture

Thanks for the quick reply.  It's just me connecting, so 10 years shouldn't really be an issue

Now, for the fix.  I adjusted the timeout to 10 years, but when I go to run the openssl command, it errors out:

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.jail/crl.pem -config ./openssl.cnf
Using configuration from ./openssl.cnf

ca: Error on line 37 of config file "./openssl.cnf"
139825616872832:error:0E065068:configuration file routines:str_copy:variable has no value:../crypto/conf/conf_def.c:519:line 37

Line 37 is

dir             = $ENV::KEY_DIR

I've checked my vars file, and I do have the line

export KEY_DIR="$EASY_RSA/keys"

The only other reference I could find to this error was making sure to have

export KEY_ALTNAMES="DNS:must-be-unique"

in vars as well -which is there.


So...what else am I missing here?

Jeremy Davis's picture

(note: I have updated my above post to also include the missing source of the vars file).

Apologies, I think that was my bad. The vars file needs to be sourced first. Even though the vars file may have the relevant variables within it, the file needs to be explicitly loaded within the current shell session for those variables to be within the current environment. I'm hoping that's the issue.

So fingers crossed, this full set of commands should work:

cd /etc/openvpn/easy-rsa
source vars
openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.jail/crl.pem -config ./openssl.cnf

Apologies on my omission. Hopefully that works now.

khariV's picture

And there was much rejoicing...


Yay! Yay! Yay!


Thanks again.

Jeremy Davis's picture

Awesome. Glad to hear that you're back up and running. Thanks for posting back to confirm! :)

Add new comment