kylemanna/docker-openvpn

Expired CRLs will prevent clients from re-connecting

Open

#274 ouverte le 30 mai 2017

Voir sur GitHub
 (8 commentaires) (0 réactions) (0 assignés)Shell (2 336 forks)batch import
bughelp wanted

Métriques du dépôt

Stars
 (8 506 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

I encountered an error with an old CRL from a long time ago that prevents clients from connecting

May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS: Initial packet from [AF_INET]1.2.3.4:55195, sid=50cd0150 294bdcea
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 VERIFY ERROR: depth=0, error=CRL has expired: CN=someserver
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 OpenSSL: error:140360B2:SSL routines:ACCEPT_SR_CERT:no certificate returned
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS_ERROR: BIO read tls_read_plaintext error
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS Error: TLS object -> incoming plaintext read error
May 30 12:28:53 test1 docker:  Tue May 30 19:28:53 2017 1.2.3.4:55195 TLS Error: TLS handshake failed

Manually regenerating the CRL and copying it in to place resolved the issue. Only people who generate a CRL and then let is expire without re-generating it (primarily by revoking certs) will encounter this bug.

I'm not sure how to handle this as re-generating the CRL will require the CA private key passphrase and can't be done automatically.

Guide contributeur