Hi: I've a problem that I could not find using Google nor openvpn-user mailing list. I've revoked a client certificate using revoke-full:
$ revoke-full fjr001 Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnf Adding Entry with serial number 02 to DB for /C=ES/ST=Malaga/L=Malaga/O=Example, S.L./CN=fjr001/emailAddress=webmas...@example.com Revoking Certificate 02. Data Base Updated Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnf fjr001.crt: /C=ES/ST=Malaga/L=Malaga/O=Example, S.L./CN=fjr001/emailAddress=webmas...@example.com error 23 at 0 depth lookup:certificate revoked But when I added "crl-verify crl.pem" to the OpenVPN configuration in the server, I found that when I restarted OpenVPN, all the other client certificates began to be revokated too: CRL CHECK OK: /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./OU=Internet_Services/CN=urano.example.com/emailAddress=siste...@dedaloingenieros.com VERIFY OK: depth=1, /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./OU=Internet_Services/CN=urano.example.com/emailAddress=siste...@dedaloingenieros.com CRL CHECK FAILED: /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./CN=gam001/emailAddress=webmas...@example.com is REVOKED TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, client-instance restarting The only thing that I don't know if is a good practice, is that I created each certificate doing a clean-all before and putting the ca files in the key subdirectory (so index.txt is newly created every time). Does anybody know where is the bug? Greets and thanks in advance. Rafael J. Alcántara Pérez. -- +---------- | Departamento de Sistemas <siste...@dedaloingenieros.com> | Teléfono fijo: 952 602 959 | Fax: 952 602 959 | Dirección: C/ Afligidos 2, 3º Derecha, 29015 Málaga | Dédalo Ingenieros, S.L.: http://www.dedaloingenieros.com/ | PGP: http://pgp.rediris.es:11371/pks/lookup?op=index&search=0x1899F325 +---------------------
signature.asc
Description: This is a digitally signed message part.
