OpenVPN CRL has expired
2019-04-02 by dongnan
问题描述
无法链接到 OpenVPN服务器,Client端拨入,Server端日志如下:
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS: Initial packet from [AF_INET]ServerIp:Port, sid=8370bee8 e2a895cf
Sat Dec 15 19:37:11 2018 ServerIp:Port VERIFY ERROR: depth=0, error=CRL has expired: C=CN, ST=BeiJing, L=BeiJing, O=Unimed, OU=P2P_TECH, CN=JL-Imac, name=EasyRSA, emailAddress=xxxxx@xxxx.com
Sat Dec 15 19:37:11 2018 ServerIp:Port OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS_ERROR: BIO read tls_read_plaintext error
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS Error: TLS object -> incoming plaintext read error
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS Error: TLS handshake failed
Sat Dec 15 19:37:11 2018 ServerIp:Port SIGUSR1[soft,tls-error] received, client-instance restarting
解决方法
通过google搜索关键字 error=CRL has expired找到一片文章,问题相同均使用过 openvpn的 revoke注销证书功能, 故障原因与 crl.pem证书有关。
注释掉 server.conf 配置文件中的 cel-verify 选项。
# revoke
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem