[SOLVED] OpenVPN Certs not getting revoked

pkhera_2001 · 04-11-2010, 04:27 AM

Hi, While revoking OpenVpn client certs from Server I am getting following output:

./revoke-full client-xxxxxxx
Using configuration from /etc/openvpn/openvpn-2.0.9/easy-rsa/openssl.cnf
ERROR:Already revoked, serial number 2D
Using configuration from /etc/openvpn/openvpn-2.0.9/easy-rsa/openssl.cnf
client-xxxxxxxxx.crt: /C=IN/ST=xxxxxxxx/O=xxxxxx xxxxxxxxx/OU=xxxxx/CN=VPN-xxxxxx/emailAddress=xxxxxxxxxxxxxxxx@xxxxxxxx.com
error 3 at 0 depth lookup:unable to get certificate CRL

I can see it shows that Certs already revoked as it lists R in front of user's cert entry under index.txt file and my main concern is error list "error 3 at 0 depth lookup:unable to get certificate CRL".

Whereas crl.pem file is at the same location as mentioned under "/etc/openvpn/openvpn-2.0.9/easy-rsa/openssl.cnf" configuration file and it's time stamps gets changed as soon as I try to revoke any certs.

The hazardous effect of this error is that as it shows that certs are revoked but still certs are working and client can connect using same certs.

Got to resolve this asap, any help and suggestion will be appreciated.

Thanks.

deadeyes · 04-13-2010, 10:38 AM

I had this exact same issue a year or 2 ago.
If I recall correctly I think you have to specify with a directive what your revocation file is.

Taken from the openvpn website howto(http://openvpn.net/index.php/open-so...ion/howto.html)

Quote:

The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

crl-verify crl.pem

pkhera_2001 · 04-14-2010, 01:42 AM

Thanks deadeys,

I was able to resolve it by putting new crl.pem file at the location mentioned under server.conf file of Openvpn.

I got it learned after going through "How To" from openvpn web portal.

I appreciate your response.

Thanks,
Pkhera