openvpn: crl has expired?

Question

We have an OpenVPN in our aws setup which was set up by a client and now they are not able to connect to open vpn say "crl has expired" . We are trying to regenerate the crl but to do that we need to go to the easy-rsa folder and there I need to run following command:

• cd path/to/easy-rsa/directory
• here need to run the following command

./easy-rsa crl-gen

• but here the problem is the easy-rsa script file inside the easy-rsa directory is missing and without that we will not be able to generate the crl.

Tue Aug 27 10:25:17 2019 122.166.3.167:18363 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=pkoparde, name=EasyRSA, emailAddress=me@myhost.mydomain
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS_ERROR: BIO read tls_read_plaintext error
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 TLS Error: TLS handshake failed
Tue Aug 27 10:25:17 2019 122.166.3.167:18363 SIGUSR1[soft,tls-error] received, client-instance restarting

Can anyone please help me with this, This is a production server issue ?

Answer 1

easy-rsa is packaged already for most Linux distributions. Just install it from your package manager.

For example:

sudo apt install easy-rsa

You should run easy-rsa installed from your distribution packages as easy-rsa, not ./easy-rsa.

Answer 2

Download the easy-rsa script again, create a new crl.

Answer 3

When you generate a new CRL file at the server to move to the client, use a longer time period with this command (10 years): EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl. For me, I use the script download from their latest release.