The certificate revocation list is for blocking certificates/clients that were previously given access to the VPN. I originally created a crl.pem file via easy-rsa when we needed to block access for a customer that had moved on.
This morning, we had a widespread VPN outage. I immediately panicked because, if an outage is caused by a problem on the customer’s end, we’re basically fucked, in that someone needs to get on a plane to rectify the problem, per customer.
After thrashing around for a while to determine root cause (certificate expiry was the first suspect, followed by time synchronization issues), my boss realized that the very first error message reported by openvpn was pretty explanatory, once one (I) stopped ignoring what looked like noise / variable assignment:
VERIFY ERROR: depth=0, error=CRL has expired: CN=themachine
My boss then inspected the crl.pem file, and found that it had an updateAt that we just reached a couple of hours before. The solution? Regenerate the crl file, which I looked into by using openssl commands, but then realized that easy-rsa has a simple command to do so, and this was the tool I used to create the crl originally.
However, before regenerating this file, we added
set_var EASYRSA_CRL_DAYS 5000 in the easy-rsa
vars file. So, we won’t have this problem again until sometime in 2033 :)