Log Summary - OpenVPN - No CRL Update

Good morning,

I have got an error message in my daily log summary since a while, which is:

  **Unmatched Entries**
    error: Could not update CRL: 1 Time(s) 

Please, would you give a hint how to fix that? Thank you & regards

3 Likes

Hello and good morning,

I have the same problem and OpenVPN connections are impossible now because the OpenVPN CRL has expired. I tried to renew it by running

/etc/fcron.daily/openvpn-crl-updater

which results in the following error:

Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
Can’t open “/var/ipfire/ovpn/openssl/ovpn.cnf” for reading, No such file or directory
40F7E32B2E7F0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(/var/ipfire/ovpn/openssl/ovpn.cnf, r)
40F7E32B2E7F0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:

It seems like /var/ipfire/ovpn/openssl/ovpn.cnf is missing

I have a second productive machine where the CRL will expire tonight., there the /var/ipfire/ovpn/openssl/ovpn.cnf is also missing and /etc/fcron.daily/openvpn-crl-updater is not working.

Seems like a general problem which might hit many users soon?? :sweat_smile:

1 Like

I join in on this pain with my IPFire v186:
Jul 4 10:14:39 fw01 openvpnserver[3111]: 79.253.176.169:50676 VERIFY ERROR: depth=0, error=CRL has expired:…

The solution at www.ipfire.org - Extended usage of CA and keys does not work, because there is no subdir openssl under /var/ipfire/ovpn.

Funbit: a OpenVPN N2N Tunnel to the same Ipfire is still working.

begging for insight / help / fix (please choose as needed ;-))
Thanks
Dirk

1 Like

Hi all,
it looks like that the Core 186 changes in “openvpn-ctrl-updater” → git.ipfire.org Git - ipfire-2.x.git/commit has not been shipped but ovpn.conf is meanwhile under /usr/share/openvpn .

To fix it in a fast way, those → git.ipfire.org Git - ipfire-2.x.git/blobdiff - config/ovpn/openvpn-crl-updater changes should help ?!

@bonnietwin @ms, can you overlook this ?

Best,

Erik

P.S. In fact it should be enough to change only one line →

--- /etc/fcron.daily/openvpn-crl-updater	2023-11-21 17:32:55.476242608 +0100
+++ /etc/fcron.daily/openvpn-crl-updater.old	2024-07-04 11:41:01.614274142 +0200
@@ -43,7 +43,7 @@
 CRL="${OVPN}/crls/cacrl.pem"
 CAKEY="${OVPN}/ca/cakey.pem"
 CACERT="${OVPN}/ca/cacert.pem"
-OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+OPENSSLCONF="/usr/share/openvpn/ovpn.cnf"
 
 # Check if CRL is presant or if OpenVPN is active
 if [ ! -e "${CAKEY}" ]; then

and by executing openvpn-crl-updater again via

# root @ ipfire in /etc/fcron.daily [11:43:29] 
$ /etc/fcron.daily/openvpn-crl-updater
Using configuration from /usr/share/openvpn/ovpn.cnf

the CRL should be updated again

$ grep CRL /var/log/messages                              
Jun 30 01:25:00 ipfire-prime openvpn: error: Could not update CRL
Jul  1 01:25:00 ipfire-prime openvpn: error: Could not update CRL
Jul  4 11:43:37 ipfire-prime openvpn: CRL has been updated
2 Likes

Hi all,

as a fast solution you can also run the following command. Of course this only extends the problem for one month. But I hope there will be a fix until then.

openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

After the above command the CRL was updated and renewed and OpenVPN connections work again. :smile:

I just can recommend to do this to everybody on V186 especially on remote machines before the CRL expires.

Cheers and have a good day

P.S. also changed the Wiki page https://www.ipfire.org/docs/configuration/services/openvpn/config/upload_gen

1 Like

The update cycle of the CRL is about one month (to check it -->)
openssl crl -in "/var/ipfire/ovpn/crls/cacrl.pem" -text | grep -oP 'Next Update: *\K.*'
, i don´t think that the next IPFire update needs that long to ship the updated ‘openvpn-crl-updater’ but in case if, you would need to execute the OpenSSL command again, as a beneath info…

Best,

Erik

2 Likes

Yes the ovpn.cnf was moved out of the /var/ipfire/ directory tree as in the past updates of that file had not ended up being properly shipped.

So the ovpn.cnf was moved to ````/usr/share/openvpn``` where it should be able to be updated without issues.

The ovpn-crl-updater was also updated with that new location but for some reason that change did not get shipped although it was in the commit that was merged into CU186.

The various files look to have been included into the ship except for the ovpn-crl-updater script.

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5

Unfortunately this was not identified by anyone during the Testing phase of CU186.

We will add that file to the shipping for CU187 which should not be too long before going to Testing.

The change to the ovpn-crl-updater is very simple so as a workaround in CU186 you could make the change.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=config/ovpn/openvpn-crl-updater;h=5008d67254e031636a013f2b02be125fb285b352;hp=5fbe21080cb90187f5cf8398c7e7fdfbf1bd2e3b;hb=4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5;hpb=51c8b155d1b888f45b234b86cb67b58512853294

5 Likes

Thanks for submitting how to check date of next CRL build. Mine is “Next Update: Jul 10 23:25:00 2024 GMT”, so in less than one week I respectively my customers would have been in trouble, while trying to use OpenVPN. Reading this community blog on a nearly daily basis saved me… but how about all other IPFire users?

1 Like

Thank you all, Adolf’s tip for editing openvpn-crl-updater solved it for me:

Jul  4 18:33:18 ipfire openvpn: CRL has been updated
4 Likes

I expirenced the same as I wanted to connect via openvpn.
After implementing the changes proposed by Eric and Adolf it’s running again.
Many thanks for the immediate response

3 Likes

For information the correct ovpn-crl-updater script has been added to Core Update 186 so anyone doing an update will now get the correct script and the CRL will not expire.

The updated script will also get shipped in Core Update 187 which should be going to Testing phase before too long and likely get full release by end of July, depending on the Testing feedback.

9 Likes

I use a net-to-net OpenVPN connection and a roadwarrior. About 10 days ago, shortly after 186 released, I have done a fresh installation of IPFire on both locations from scratch and restored the settings that I had previously saved in version 185. That also restored all my OpenVPN settings and the systems were up and running. So far the tunnel is stable and the roadwarrior can connect to both locations. Will I be affected too or is this problem only affecting systems that directly updated from previous versions to 186? We’re in the middle of a peak season and I need the VPNs to work. Or should I download the updated 186 and install + restore settings again? I’m not really experienced with Linux so I don’t understand the solution shown in this threat.

1 Like

Thanks for posting this, unfortunately I found it after the problem showed up. My firewall is remote so at least I know what the real problem is when I get there. Thanks! MIke

1 Like

Hallo @alain

If your fresh install was with Core Update 186 then you will have the problem being talked about.

When it would impact you would depend on the expiry date of the CRL.

As mentioned in the other threads you can find out what the expiry date is by running the following command (copy and paste) in either your console or via an ssh terminal.

openssl crl -in "/var/ipfire/ovpn/crls/cacrl.pem" -text | grep -oP 'Next Update: *\K.*'

If the expiry date is before end of July then you will need to take some action.

As you don’t want to get into editing files in IPFire then the simplest would be to copy and paste and run the following command into the console or an ssh terminal.

openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

This will update the crl for another month which should give time for Core Update 187 to be released. You can always repeat running that command.

If you are not comfortable doing any of the above then the following is your best option.

Download and install Core Update 185
https://www.ipfire.org/downloads/ipfire-2.29-core185

Yes, that is Core Update 185. The fix has been applied to the updating to Core Update 186 but not to the Installation files as that would result in a mix of Core Update 186 versions with and without the fix in the mirrors and it is not easy to manage and fix.

Having done a fresh install with Core Update 185 then restore your settings from the backup and then do the update to Core Update 186 using pakfire.

I have installed Core Update 185 on a vm machine, confirmed it had the original openvpv-crl-updater script and then run the update to 186 and after that was completed the correct script was in place.

2 Likes

Thank you sooo much! I have connected with ssh and have entered the commands. However, on the 2nd command I get an error message.
image

So I will re-install 1.85 and restore the settings and re-update with Packfire.

2 Likes

It looks like that will be the simplest for you to do. You then don’t have to worry about what files are located where. It will just be done automatically.

1 Like

I have installed 185 from scratch, restored the settings, rebooted, clicked on PackFire and updated to 186 and finally rebooted. When I now enter that command openssl crl -in “/var/ipfire/ovpn/crls/cacrl.pem” -text | grep -oP ‘Next Update: \K.
it tells me AUG 14 11:36:54 2024 GMT.
Does it automatically renew and extend on 14th August or do I have to do something before 14th August?

1 Like

It will automatically renew now with the correct updater in place.
The updater checks on a daily basis and i believe that it will updaye if the expiry date is closer than one week or so. I can’t remember the precise delta. I will have to go and look at the script.

You don’t have to worry about it any more. It will update when it needs to so that you always have a valid crl.

2 Likes

Thank you, Dankeschön, Gracias, Merci, Obrigado, Terima kasih !:+1:

2 Likes

Hello all,

it is updating 14 days before → git.ipfire.org Git - ipfire-2.x.git/blob - config/ovpn/openvpn-crl-updater .

Best and selamat malam,

Erik

3 Likes