Fli
08-28-2017, 11:56 PM
My OpenVPN client suddenly stopped being able to connect openvpn server.
The last status message was "VERIFY OK: depth=0, CN=server"
So i checked /var/log/messages on the OpenVPN Server and it contained:
openvpn[11357]: myclientip:45962 VERIFY ERROR: depth=0, error=CRL has expired: CN=client
openvpn[11357]: myclientip:45962 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
openvpn[11357]: myclientip:45962 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[11357]: myclientip:45962 TLS Error: TLS object -> incoming plaintext read error
openvpn[11357]: myclientip:45962 TLS Error: TLS handshake failed
After googling i found: https://forums.openvpn.net/viewtopic.php?t=23166#p67004
So it appears CRL should be renewed.
First one should increase:
default_days = 3650 # how long to certify for
default_crl_days= 3650 # how long before next CRL
inside openssl.cnf (find /etc -name openssl.cnf)
Then one can probably delete openvpn user and create new genrating keys, etc. I do not know what are exact commands. I am using Nyr's penvpn installer (https://github.com/Nyr/openvpn-install) and it allows to do this by 1. revoking user and then 2. Adding it again, then 3. copy *.ovpn file to your client machine + relace old one.
The last status message was "VERIFY OK: depth=0, CN=server"
So i checked /var/log/messages on the OpenVPN Server and it contained:
openvpn[11357]: myclientip:45962 VERIFY ERROR: depth=0, error=CRL has expired: CN=client
openvpn[11357]: myclientip:45962 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
openvpn[11357]: myclientip:45962 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[11357]: myclientip:45962 TLS Error: TLS object -> incoming plaintext read error
openvpn[11357]: myclientip:45962 TLS Error: TLS handshake failed
After googling i found: https://forums.openvpn.net/viewtopic.php?t=23166#p67004
So it appears CRL should be renewed.
First one should increase:
default_days = 3650 # how long to certify for
default_crl_days= 3650 # how long before next CRL
inside openssl.cnf (find /etc -name openssl.cnf)
Then one can probably delete openvpn user and create new genrating keys, etc. I do not know what are exact commands. I am using Nyr's penvpn installer (https://github.com/Nyr/openvpn-install) and it allows to do this by 1. revoking user and then 2. Adding it again, then 3. copy *.ovpn file to your client machine + relace old one.