OpenVPN – Issue Verifying CRL

crlopensslopenvpn

With an OpenVPN/EasyRSA 3 setup (split machines for CA and VPN entry point), I'm facing the issue that whatever CRL I generate, OpenVPN seemingly cannot handle it.

Setup Overview: Things That Go Well

I was following these guidelines to setup the respective machines:

Everything regarding signing requests for clients, their actual signing, connecting to the VPN, nameserver pushes, private name resolution and such works very smoothly. However, I can revoke a certificate on the CA (as far as I know, there's no "revocation request" and instead certificates are directly revoked on the CA) and generate the according CRL like so:

./easyrsa revoke doe.john.client
./easyrsa gen-crl

The revocation works, the certificate is marked with an R on the index.txt; checking the generated CRL and comparing the certificate IDs also works, the IDs are correct.

openssl crl -noout -text -in <CRL-file>.pem

Where Things Start to Fail

Now, the next step after generating the CRL is to transfer it to the OpenVPN server, change file permissions (664) and update OpenVPN's server.conf to use it:

[... properly working OpenVPN server.conf]

crl-verify /etc/openvpn/crl.pem

After restarting the service via systemctl and attaching to the logs via journalctl, I start doing connection attempts for client certificates that should be valid and have not been revoked.

What I see on the logs then is the following:

TLS: Initial packet from [AF_INET]<IP-REDACTED>:52786, sid=e545b723 a0690e44
<IP-REDACTED>:52786 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=<COMMON-NAME-OF-VALID-CLIENT>
<IP-REDACTED>:52786 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=<COMMON-NAME-OF-CA>
<IP-REDACTED>:52786 VERIFY ERROR: CRL not loaded
<IP-REDACTED>:52786 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
<IP-REDACTED>:52786 TLS_ERROR: BIO read tls_read_plaintext error
<IP-REDACTED>:52786 TLS Error: TLS object -> incoming plaintext read error
<IP-REDACTED>:52786 TLS Error: TLS handshake failed

which essentially tells me that

  • the client is able to contact the VPN server
  • the server is able to stat the crl.pem (otherwise the logs do tell that that step failed), i.e. file permissions are good
  • the CRL has not expired
  • using openssl directly to generate a CRL (without convenience functionality of EasyRSA) yields the same issues
  • the server tries to check for a CRL on both depth levels, i.e. for the client certificate and the CA, which seems odd to me
  • the logs state that the CRL is not loaded
  • no client is able to connect anymore

What Am I Missing?

I cannot seem to handle this issue, because neither the logs, nor whatever guidelines online or online searches seem to point towards similar issues. Dear experts, am I missing something around here?

If you need more details, I will happily provide them. Cheers!

Best Answer

After a lot of back and forth, there now is a solution. I am not aware of any deeper details, but:

  • My existing VPN entry server was still running on CentOS, which is already out of support for quite some months now.
  • I just stumbled upon this on my update routines and obviously failed in updating the VPN entry server the past couple of runs, which is really bad.
  • Now, I moved the setup to a Rocky Linux 9 and with unchanged CRL, server configs and their locations, the CRL now is loaded properly.

Key finding: Make sure to not forget some servers when doing update routines - especially not the critical/important ones

Related Topic