I'm running OpenVPN on a hardware router running OpenWRT. Every time a client connects I get the following error in the logs:
VERIFY WARNING: depth=0, unable to get certificate CRL
I've got a 2 level CA with both levels publishing CRLs and the merged CRL available on the router and OpenVPN making use of it.
I'm confused about why OpenVPN is trying to get the CRL at depth 0, which is the client certificate. It doesn't complain about depths 1 and 2 which indicates my CRL file is fine …
Best Answer
It seems that later versions of OpenVPN doesn't understand multiple PEM encoded CRLs in one file.
If you edit you CRL file so that it contains only the CRL of the client certificate issuing CA, you'll see that you won't get errors for
depth=0and will instead get an error fordepth=1. You'll probably get the same results if you swap the order of the CRLs in your current file.To resolve this on later versions of OpenVPN you should use the
--capath:Place all your CA certificates and the CRLs generated by your CAs in a directory pointed to by the
--capathoption. Remember to remove the--ca option.Run
c_rehash <path to certs and CRLs>to generate a hash of the certificates and their CRLs.Restart OpenVPN and you should find your logs are devoid of CRL warnings.
Note: You should never get an CRL warning for
depth=2(your root CA) as it will be a self-signed certificate and a CRL for one of those is pointless because it would be signed by itself. But it seems that if you omit the root CA's CRL, it shows a verify warning for itself (depth=2) as well as the certificate it issued (the intermediate CA atdepth=1). It should only show a warning for the latter.