Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CRL is not yet valid

    OpenVPN
    2
    3
    809
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      opana
      last edited by

      Faced the problem discussed here CRL has expired.

      I reissued the CRL with a different expiration date and added it to the OVPN settings. Installed a patch. And everything worked.

      But. If turn off and then turn on the server pfsense, then it is impossible to connect to the ovpn server with configured CRL.

      TLS Error: TLS handshake failed
TLS Error: TLS object -> incoming plaintext read error
TLS_ERROR: BIO read tls_read_plaintext error
OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
VERIFY ERROR: depth=0, error=CRL is not yet valid: CN=

      If restart the vpn service or the entire pfsense server, then the vpn clients are connected. The error appears only after a complete shutdown.

      I did the check on the test server 2.6.0-RELEASE (amd64) in VirtualBox Virtual Machine.

      I can't test it on real hardware. There CRL is temporarily disabled.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Sounds like maybe your system has a clock problem, like the time on the hypervisor host is way off.

        At boot the VM would take the initial time from the hypervisor, later after boot it would eventually do a time sync and get a more accurate time. If the clock in the hypervisor was way ahead (e.g. set to UTC but VM clock is set to a local time zone) it could have a similar result to what you are seeing.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        O 1 Reply Last reply Reply Quote 1
        • O
          opana @jimp
          last edited by

          @jimp Yes, that is right.

          Thanks

          It's strange that it didn't show up before. This VM is over a year old. It was constantly on/off.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.