No Clients Can Connect To OpenVPN Due to CRL Expiry
-
I ran into exactly this problem today. No longer able to make an OpenVPN connection to my pfSense, and the error in the log read:
Aug 17 14:23:43 pfSense openvpn[75777]: XX.XX.XX.XX:47729 VERIFY ERROR: depth=0, error=CRL has expired: C=NL, ST=NH, L=MyTown, O=MyCompany, emailAddress=me@somewhere.nl, CN=Pete, serial=10
Aug 17 14:23:43 pfSense openvpn[75777]: XX.XX.XX.XX:47729 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failedI created a new CRL, with the default 9999 days expiry, pointed the OpenVPN server to it but still no joy.
I then created another new CRL, but this time with a 999 days expiry. That got me back in business.
Tried a bit more and it turns out that the default, 9999 days, does no longer work. Any other value up to and including 9998 days does the trick.
I think @mmulqueen above hit the nail on the head when they found it has something to do with today being 9999 days away from jan 1st, 2050. I'll try 9998 days tomorrow and see if that gives me the same problem then :-)
I did upgrade from CE 2.5.x to 2.6.0 last week, but IIRC I tested OpenVPN as usual after an update. This morning I made a config change in OpenVPN as I was playing with IPv6 after which OpenVPN stopped working.
BTW, I'm using Intel Core i5-7200 based hardware
-
M mmulqueen referenced this topic on
-
M mmulqueen referenced this topic on
-
I created a Redmine entry for this (https://redmine.pfsense.org/issues/13424) and I'll be working on a fix shortly. When I have one, I'll also create an entry in the System Patches package for it.
-
Well, add me to the line. Exactly the same issue occurred today after I updated CRL (in ver. 2.4.5-p1). Sudden loss of VPN connections of all clients and OpenVPN stating CRL expired during initialization on re-connection. Realized whats going on after I saw 'next update=1st of Jan 1950' in CRL properties. Had to create a new list with shorter validity, after this things got back to normal. Dates roooollin` (over).... :)
-
I merged the fix in yesterday evening.
You can install the System Patches package and then create an entry for
a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2to apply the fix.It will be added as a "Recommended Patch" in the System Patches package soon, but in the meantime it is safe to add a manual entry to obtain the fix now.
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
Thank you @jimp for the speedy patch on this. I am in the middle of a a rollout to end users and got hit this morning when I made a configuration change. I applied the patch and re-saved the openvpn configuration and I'm back up now. Thank you again.
-
And thanks from me too! I applied the patch as per your instructions (did not even know about the 'patches' package) and OpenVPN is working fine again. pfSense is a brilliantly supported firewall
-
Just another
Started hearing from WFHers that the VPN was down.
Figured out the CRL was reporting 1950 as next update, and found this post.
The system patch package is worth knowing about :)
OpenVPN restored after installing patch, and reloading the service. Great.
Thanks
-
Got this problem today was pulling hairs why my open vpn server not working found this topic
reduced crl time to 200 days and fixed thank you. -
Would also like to add my gratitude for quick identification and patch solution for this issue.
It bit me yesterday and I not see what was wrong with the path I had trodden many times before in setting up a link. Discovered this solution and the patch fixed it. Thank you.
-
Got bit by this bug when our firewall rebooted due to a power blackout after being up for 187 days. Was so glad to come across this System Patches and be able to apply the needed patch and get back up quickly! pfSense is a great firewall product!
-
just ran into this since i had not use my vpn, thanks to everyone it got me fixed up.
-
@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?
-
@jeffreyn said in No Clients Can Connect To OpenVPN Due to CRL Expiry:
@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?
You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.
