OpenVPN

DBBC Openvpn when will not connect the PEM has expired. Log into the VM, go to directory /etc/openvpn/easy-rsa and run sudo ./easyrsa gen-crl

This will generate a new pem in the pki subfolder. Then sudo cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem

Point of note, if this is a new easy openvpn install, then you have to comment out the first var in openssl-1.0.conf otherwise the first command throws an error.

All should be happy in the world of connections again. Reference page https://mig5.net/blog/openvpn-2-4-crl-has-expired/#:~:text=OpenVPN%202.4%20rejects%20client%20connections%20when%20%22CRL%20has%20expired%22,-written%20by%20mig5&text=If%20you%20revoke%20a%20key,%2Fpath%2Fto%2Fcrl.

Alternate Method:

If suddenly you cannot connect to your OpenVPN server based on PiVPN (or other), it is probably because of the CA certificate has expired.

Do:

cat /var/log/openvpn.log

If you find an output similar to the following, it means that (probably) the certificate has expired

Jul 22 18:52:44 raspberrypiserver ovpn-server[434]: 238.143.30.107:47626 VERIFY ERROR: depth=0, er

Verify the certificate expiration date by typing

cd /etc/openvpn

sudo openssl crl -in crl.pem -text

which will output

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: /CN=ChangeMe

Last Update: Jan 21 18:03:50 2019 GMT

Next Update: Jul 20 18:03:50 2019 GMT

CRL extensions:...

...

If the field Next Update indicates a date earlier than today, then the CA certificate has expired.

To renew it just do:

cd /etc/openvpn/easy-rsa

sudo ./easyrsa gen-crl

sudo cp pki/crl.pem /etc/openvpn/crl.pem

sudo systemctl restart openvpn