Changes between Initial Version and Version 1 of Ticket #422, comment 8
- Timestamp:
- 05/24/15 08:48:37 (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #422, comment 8
initial v1 1 1 Now that I look a bit closer, I think I do understand. 2 2 3 OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs. When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you. For some reason, this fails in your setup.3 OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs. (edit: ignore this previous text ~~When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.~~) When using the `capath` option, OpenVPN enforces you also supply valid CRLs. To do so, use the `crl-verify` option. 4 4 5 I expect that you can get the same behaviour from OpenSSL by using5 I can can get the same behaviour from OpenSSL: 6 6 7 `$ openssl verify -CApath /your/path -crl_check -crl_check_all server.crt` 7 {{{ 8 $ openssl verify -CApath /your/path -crl_check -crl_check_all server.crt 9 server.crt: C = KG, ST = NA, O = OpenVPN-TEST, CN = Test-Server, emailAddress = me@myhost.mydomain 10 error 3 at 0 depth lookup:unable to get certificate CRL 11 }}} 12 13 and fix it by supplying the crl 14 {{{ 15 $ openssl verify -CApath /your/path -crl_check -crl_check_all -CRLfile ca.crl server.crt 16 server.crt: OK 17 }}}