You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The easy-rsa/easyrsa3/vars.example file describes EASYRSA_CRL_DAYS as a soft problem. But in reality it appears to prevent anyone from connecting to the server. I don't expect it's a fun Easter egg to discover when our VPN servers fail just because we trusted the defaults and nobody has left the company in 180 days.
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
In my opinion, the code comment that "the CRL can still be parsed", does not match the actuality that everyone's getting a CRL expired error, precluding accessing the server. I believe that the code comment was written prior to OpenVPN 2.4 when the CRL method became "processed much more rigidly than before" https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired.
Other people describe the actual behaviour of this environment variable as:
See easyrsa help gen-crl https://github.com/OpenVPN/easy-rsa/wiki/EasyRSA-Renewal#-update-crl
(note that this comment simply indicates that gen-crl is an important part of ongoing maintenance, but this Wiki entry could also use a bit of context, since the output of easyrsa help gen-crl is simply: gen-crl Generate a CRL.).
The real fix seems to be to make SSL be able to parse the CRL after EASYRSA_CRL_DAYS, but an acceptable fix might simpy be to update the code comment to reflect the seriousness of this variable, such as:
# How many days until the next CRL publish date? Note that the CRL will cease to
# work after this timeframe passes. OpenVPN will respond to connection requests
# with "VERIFY ERROR, CRL has expired" if the age of the CRL exceeds the days set.
#
#set_var EASYRSA_CRL_DAYS 180
Additionally, would you recommend that the value of 180 be increased to 825 or something high, to match the other defaults like EASYRSA_CERT_EXPIRE?
The text was updated successfully, but these errors were encountered:
TinCanTech
changed the title
EASYRSA_CRL_DAYS prevents all users from connecting
Expired CRL file prevents all users from connecting to OpenVPN Server
Sep 26, 2024
This change invalidated this comment in Easy-RSA vars.example:
# How many days until the next CRL publish date? Note that the CRL can still
# be parsed after this timeframe passes. It is only used for an expected next
# publication date.
#
#set_var EASYRSA_CRL_DAYS 180
This will be corrected before Easy-RSA release 3.2.2.
Also, improve the Easy-RSA command gen-crl output, to high-light this behavior change.
The
easy-rsa/easyrsa3/vars.example
file describes EASYRSA_CRL_DAYS as a soft problem. But in reality it appears to prevent anyone from connecting to the server. I don't expect it's a fun Easter egg to discover when our VPN servers fail just because we trusted the defaults and nobody has left the company in 180 days.In my opinion, the code comment that "the CRL can still be parsed", does not match the actuality that everyone's getting a CRL expired error, precluding accessing the server. I believe that the code comment was written prior to OpenVPN 2.4 when the CRL method became "processed much more rigidly than before" https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired.
Other people describe the actual behaviour of this environment variable as:
The real fix seems to be to make SSL be able to parse the CRL after EASYRSA_CRL_DAYS, but an acceptable fix might simpy be to update the code comment to reflect the seriousness of this variable, such as:
Additionally, would you recommend that the value of 180 be increased to 825 or something high, to match the other defaults like EASYRSA_CERT_EXPIRE?
The text was updated successfully, but these errors were encountered: