OpenVPN CRL expired - no client access

texas-aggie · October 8, 2018, 7:11pm

OpenVPN server is throwing a VERIFY ERROR for an expired CRL when attempting to initiate VPN access from a client.

The community wiki indicates a new CRL needs to be created for v 2.4: https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired

I suspect UCS has it’s own mechanism to create/update the various certs for OpenVPN, however, I’m not finding any documentation (or just missing something obvious) around this subject.

What’s the process for updating and maintaining certs (preferably in an automated fashion) to keep the system available for end-users?

bytemine · October 9, 2018, 9:13am

I assume you’re using OpenVPN4UCS. It uses the UCS crl, which it wgets from the master hourly. The master renews its crl based on the ssl/crl/interval ucr variable and the last modification date of the crl file.

Was your master or your VPN server down for some time? Did you extend ssl/crl/interval? Was the mtime of /etc/univention/ssl/ucsCA/crl/crl.pem changed without renewing the crl?

bytemine · October 9, 2018, 11:07am

We did some further debugging, since the problem occured for others, too.
It seems that one of the last updates introduced a bug in univention-ssl:

make-certificates.sh is a bash-script and uses ‘<<<’, but /etc/cron.daily/univention-ssl is run by /bin/sh and sources, not calls, make-certificates.sh, which fails.

damrose · October 9, 2018, 11:19am

We are working to fix this issue, it can be tracked in our bugzilla

texas-aggie · October 9, 2018, 12:19pm

Not quite sure how I missed the other entries on the SSL expiry.

For future reference for others, this began after updating to 4.3-2 errata 264.

Thanks for identifying the issue.

texas-aggie · October 14, 2018, 1:03am

When can we expect the patch to be released?