openvpn: crl has expired?

Ganesh asked:

We have an OpenVPN in our aws setup which was set up by a client and now they are not able to connect to open vpn say “crl has expired” .
We are trying to regenerate the crl but to do that we need to go to the easy-rsa folder and there I need to run following command:

  • cd path/to/easy-rsa/directory
  • here need to run the following command
./easy-rsa crl-gen
  • but here the problem is the easy-rsa script file inside the easy-rsa directory is missing and without that we will not be able to generate the
    crl.
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=pkoparde, name=EasyRSA, [email protected]
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS_ERROR: BIO read tls_read_plaintext error
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS Error: TLS handshake failed
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 SIGUSR1[soft,tls-error] received, client-instance restarting

Can anyone please help me with this, This is a production server issue ?

My answer:


easy-rsa is packaged already for most Linux distributions. Just install it from your package manager.

For example:

sudo apt install easy-rsa

You should run easy-rsa installed from your distribution packages as easy-rsa, not ./easy-rsa.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.