constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD
-
After upgrade from 2.4.5 to 21.02 our IPSEC VPN tunnels stop working after a while with "constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD". We have certificate based (EAP-TLS) mobile IPSEC clients and with this error none of them are working. We use a internal CA created on the firewall and have a matching CRL with a lifetime of 999 days, this has worked with 2.4.5 without trouble. With 21.02 after around a day the mentioned error is thrown and all EAP-TLS based tunnels don't work any more.
Of course we have set the "Enable strict Certificate Revocation List checking", but with lifetime of 999 days we should not get in trouble after a day, no? -
Checking the CRL with openssl works as expected:
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: <my-CA>
Last Update: Oct 1 14:05:53 2020 GMT
Next Update: Jun 27 14:05:53 2023 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:52:DA:02:E9:38:87:9C:6F:AB:53:1F:DB:58:C1:6A:C9:67:33:96:45
DirName: <CN>
serial:00So should i create a ticket (bug) or have i missed something obvious?
-
From documentation:
"Strict CRL Checking
When set, the IPsec daemon requires availability of a fresh CRL for peer authentication based on certificate signatures to succeed. Primarily useful when the CRL is obtained dynamically (e.g. OCSP)."So what does "fresh" mean. From my point of view this should be a "Next Update" which is not in the past, no? Or should this only be used with OCSP and there is a static time after which we need a fresh CRL?