OpenVPN – Fix Missing Expected CA File in Easy-RSA

openvpn

I can't connect to my Easy-RSA VPN server. I can connect using SSH; in the logfiles I read "error=CRL has expired". So, according to instructions found using Google I should run

./easyrsa gen-crl

Which gives the error:

 Easy-RSA error:

 Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
 Run easyrsa without commands for usage and command help.

The ca.crt file is located in /etc/openvpn/ca.crt. Where should I put it so I can run the gen-crl command succesfully.

Best Answer

Your ca.crt should reside in ./pki and ca.key in ./pki/private relative to easyrsa script so you should copy or symlink these two files into these directories.

Related Solutions

Openvpn intermediate CA CRL Question

looks like you've found a (minor) bug in openvpn. You should have the full (public) CA chain on the server by stacking the CA and subCA certs together. When a client connects the verify process goes through the entire chain and it tries to find a matching CRL. As there is no CRL for the intermediate CA itself this message is printed, which is bogus.

What you should see as well is

CRL CHECK FAILED: [DN] is REVOKED

As long as you see that the cert issued by the intermediate CA is properly revoked.

HTH,

JJK

Linux – Removing an OpenVPN Client Cert

Just put it on CRL list and create new cert.

Best Answer

Related Solutions

Openvpn intermediate CA CRL Question

Linux – Removing an OpenVPN Client Cert

Related Topic