Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN CRL Verification Fails

    Scheduled Pinned Locked Moved OpenVPN
    openvpnopenvpn problemcertificatecrl
    2 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MatthewA1
      last edited by MatthewA1

      For a SSL/TLS + UserAuth OpenVPN Remote Access Server, I have tried revoking a user certificate but it is still able to connect. The certificates are issued by an ICA (the CA and ICA are both created on and present in pfSense) and the CRL is selected as the Peer Certificate Revocation List.
      I went into /var/etc/[servername].conf and verified that crl-verify was present and pointing to the correct file. I then verified using OpenSSL on a different machine that the cert was indeed revoked according to the CRL
      Any ideas why OpenVPN seems to be ignoring the CRL? The only thing in the logs I found was immediately after a server reboot:

      Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY WARNING: depth=0, unable to get certificate CRL: CN=[USER CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY WARNING: depth=1, unable to get certificate CRL: CN=[ICA CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY WARNING: depth=2, unable to get certificate CRL: CN=[ROOT CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY SCRIPT OK: depth=2, CN=[ROOT CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY OK: depth=2, CN=[ROOT CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY SCRIPT OK: depth=1, CN=[ICA CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY OK: depth=1, CN=[ICA CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY SCRIPT OK: depth=0, CN=[USER CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
Oct 12 11:45:26 pfSense openvpn[29449]: [IP]:[PORT] VERIFY OK: depth=0, CN=[USER CN], C=US, ST=[ST], L=[CITY], O=[ORG], OU=[ORG UNIT]
      1 Reply Last reply Reply Quote 0
      • L
        Landr5
        last edited by Landr5

        It is likely that your VPN interface isn't enabled in pfSense. Open Interfaces and select the VPN interface that you added to System > Routing > Gateways and click the Enable box. Click Save.

        Navigate to Status > OpenVPN and restart the service. It should show a green check mark and show local, virtual, and remote host addresses.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.