OpenVPN –crl-verify fails with ‘keys/crl.pem’: No such file or directory

Today I had to generate a new Certification Authority (CA) and all certificates for an OpenVPN server. After restarting it, I found this error in the log files:

Options error: --crl-verify fails with 'keys/crl.pem': No such file or directory
Options error: Please correct these errors.
Use --help for more information.

it turns out, easy-rsa had a script to generate a crl (Certificate Revocation List), but it wasn’t present in my (CentOS based) install.

I just had to go to my easy-rsa directory (yours may be different), include the easy-rsa config and run that command:

# cd /etc/openvpn/easy-rsa
# source vars
# openssl ca -gencrl -out ${KEY_DIR}/crl.pem -config $KEY_CONFIG
[...]

After restarting OpenVPN, everything worked fine.

Note, this will also solve problems that show errors similar to:

Thu Mar  6 18:42:09 2014 10.11.12.13:39420 TLS: Initial packet from [AF_INET]10.11.12.13:39420, sid=2494fce7 cfff3a67
Thu Mar  6 18:42:09 2014 10.11.12.13:39420 CRL: cannot read CRL from file keys/crl.pem
Thu Mar  6 18:42:09 2014 10.11.12.13:39420 Exiting due to fatal error

when a client tries to contact the server.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s