Changes between Initial Version and Version 1 of Ticket #422, comment 8


Ignore:
Timestamp:
05/24/15 08:48:37 (6 years ago)
Author:
Steffan Karger
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #422, comment 8

    initial v1  
    11Now that I look a bit closer, I think I do understand.
    22
    3 OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs.  When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.  For some reason, this fails in your setup.
     3OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs.  (edit: ignore this previous text ~~When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.~~)  When using the `capath` option, OpenVPN enforces you also supply valid CRLs.  To do so, use the `crl-verify` option.
    44
    5 I expect that you can get the same behaviour from OpenSSL by using
     5I can can get the same behaviour from OpenSSL:
    66
    7    `$ openssl verify -CApath /your/path -crl_check -crl_check_all server.crt`
     7{{{
     8$ openssl verify -CApath /your/path -crl_check -crl_check_all server.crt
     9server.crt: C = KG, ST = NA, O = OpenVPN-TEST, CN = Test-Server, emailAddress = me@myhost.mydomain
     10error 3 at 0 depth lookup:unable to get certificate CRL
     11}}}
     12
     13and fix it by supplying the crl
     14{{{
     15$ openssl verify -CApath /your/path -crl_check -crl_check_all -CRLfile ca.crl server.crt
     16server.crt: OK
     17}}}