We have an OpenVPN in our aws setup which was set up by a client and now they are not able to connect to open vpn say "crl has expired" .
We are trying to regenerate the crl but to do that we need to go to the easy-rsa folder and there I need to run following command:
- cd path/to/easy-rsa/directory
- here need to run the following command
./easy-rsa crl-gen
- but here the problem is the easy-rsa script file inside the easy-rsa directory is missing and without that we will not be able to generate the
crl.
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=pkoparde, name=EasyRSA, emailAddress=me@myhost.mydomain Tue Aug 27 10:25:17 2019 122.166.3.167:18363 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS_ERROR: BIO read tls_read_plaintext error Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS Error: TLS object -> incoming plaintext read error Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS Error: TLS handshake failed Tue Aug 27 10:25:17 2019 122.166.3.167:18363 SIGUSR1[soft,tls-error] received, client-instance restarting
Can anyone please help me with this, This is a production server issue ?
Best Answer
easy-rsa is packaged already for most Linux distributions. Just install it from your package manager.
For example:
You should run easy-rsa installed from your distribution packages as
easy-rsa, not./easy-rsa.