OpenVPN CRL Verification Fails



  • For a SSL/TLS + UserAuth OpenVPN Remote Access Server, I have tried revoking a user certificate but it is still able to connect. The certificates are issued by an ICA (the CA and ICA are both created on and present in pfSense) and the CRL is selected as the Peer Certificate Revocation List.
    I went into /var/etc/[servername].conf and verified that crl-verify was present and pointing to the correct file. I then verified using OpenSSL on a different machine that the cert was indeed revoked according to the CRL
    Any ideas why OpenVPN seems to be ignoring the CRL? The only thing in the logs I found was immediately after a server reboot:

    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY WARNING: depth=0, unable to get certificate CRL: CN=[USER CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY WARNING: depth=1, unable to get certificate CRL: CN=[ICA CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY WARNING: depth=2, unable to get certificate CRL: CN=[ROOT CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY SCRIPT OK: depth=2, CN=[ROOT CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY OK: depth=2, CN=[ROOT CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY SCRIPT OK: depth=1, CN=[ICA CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY OK: depth=1, CN=[ICA CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY SCRIPT OK: depth=0, CN=[USER CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
    Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY OK: depth=0, CN=[USER CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]