跳转至

OpenVPN CRL has expired


2019-04-02 by dongnan

问题描述

无法链接到 OpenVPN服务器,Client端拨入,Server端日志如下:

Sat Dec 15 19:37:11 2018 ServerIp:Port TLS: Initial packet from [AF_INET]ServerIp:Port, sid=8370bee8 e2a895cf
Sat Dec 15 19:37:11 2018 ServerIp:Port VERIFY ERROR: depth=0, error=CRL has expired: C=CN, ST=BeiJing, L=BeiJing, O=Unimed, OU=P2P_TECH, CN=JL-Imac, name=EasyRSA, emailAddress=xxxxx@xxxx.com
Sat Dec 15 19:37:11 2018 ServerIp:Port OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS_ERROR: BIO read tls_read_plaintext error
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS Error: TLS object -> incoming plaintext read error
Sat Dec 15 19:37:11 2018 ServerIp:Port TLS Error: TLS handshake failed
Sat Dec 15 19:37:11 2018 ServerIp:Port SIGUSR1[soft,tls-error] received, client-instance restarting

解决方法

通过google搜索关键字 error=CRL has expired找到一片文章,问题相同均使用过 openvpnrevoke注销证书功能, 故障原因与 crl.pem证书有关。

注释掉 server.conf 配置文件中的 cel-verify 选项。

# revoke
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

欢迎关注微信公众号: 运维录

参考

openvpn报错 提示CRL has expired

Back to top