ExpressVPN certificates 2 verify fails and then ok
-
I am seeing throughout my logs that openvpn has 2 certificate verify fails and then is successful.
Any ideas why this would be, or how to debug root cause?
Oct 28 04:21:02 openvpn 30052 VERIFY KU OK Oct 28 04:21:02 openvpn 30052 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com Oct 28 04:21:02 openvpn 30052 VERIFY WARNING: depth=1, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com Oct 28 04:21:02 openvpn 30052 VERIFY WARNING: depth=0, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-10963-0a, emailAddress=support@expressvpn.com -
@gwaitsi
There are no fails, there are just warnings, that OpenVPN cannot get the CRLs for the certificates.The CRL (certificate revocation list) path can be included into the certificate. If it isn't or the URI isn't reachable you get this warning even the connection is established, because strict CRL verification is not enabled by default in OpenVPN.
-
@viragomann thanks for the info. Should strict CRL verification be enabled for a VPN provider like ExpressVPN. Obviously the certificate is provided by them
-
@gwaitsi
That makes no sense for a client, I think. The only useful information you could get out would be, if the server cert is revoked.And it would require that ExpressVPN provides a CRL in the internet and that OpenVPN can request it. In the client settings you can only state a local CRL, which make no sense here at all.
You can look in the CA certificate to check out if there an URL for the CRL stated. But I don't know if OpenVPN requests it.