Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 654 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lst_hoe
      last edited by

      After upgrade from 2.4.5 to 21.02 our IPSEC VPN tunnels stop working after a while with "constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD". We have certificate based (EAP-TLS) mobile IPSEC clients and with this error none of them are working. We use a internal CA created on the firewall and have a matching CRL with a lifetime of 999 days, this has worked with 2.4.5 without trouble. With 21.02 after around a day the mentioned error is thrown and all EAP-TLS based tunnels don't work any more.
      Of course we have set the "Enable strict Certificate Revocation List checking", but with lifetime of 999 days we should not get in trouble after a day, no?

      L 1 Reply Last reply Reply Quote 0
      • L
        lst_hoe @lst_hoe
        last edited by

        Checking the CRL with openssl works as expected:

        Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: <my-CA>
        Last Update: Oct 1 14:05:53 2020 GMT
        Next Update: Jun 27 14:05:53 2023 GMT
        CRL extensions:
        X509v3 Authority Key Identifier:
        keyid:52:DA:02:E9:38:87:9C:6F:AB:53:1F:DB:58:C1:6A:C9:67:33:96:45
        DirName: <CN>
        serial:00

        So should i create a ticket (bug) or have i missed something obvious?

        L 1 Reply Last reply Reply Quote 0
        • L
          lst_hoe @lst_hoe
          last edited by

          From documentation:

          "Strict CRL Checking
          When set, the IPsec daemon requires availability of a fresh CRL for peer authentication based on certificate signatures to succeed. Primarily useful when the CRL is obtained dynamically (e.g. OCSP)."

          So what does "fresh" mean. From my point of view this should be a "Next Update" which is not in the past, no? Or should this only be used with OCSP and there is a static time after which we need a fresh CRL?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.