So I upgraded a box to OpenVPN 2.4 yesterday, turns out that it’s not that straight forward an upgrade if you don’t keep your CRL fresh (like most people it seems).

Here explains what’s going on a little bit

So the answer is a bit of hackery inside your easyrsa implementation and regen the CRL

1. Open openssl-1.0.0.cnf in your favourite editor and search for crl_days

default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL

Change to

default_days = 3650 # how long to certify for
default_crl_days= 3650 # how long before next CRL

2. Open the vars file in your text editor and add the following key to the bottom of your file

export KEY_ALTNAMES=”something”

3. Regenerate your crl

source ./vars
openssl ca -gencrl -out crl.pem -config ./openssl-1.0.0.cnf

4. Move the crl.pem to wherever your old crl was and finally test with “openssl crl -in ./crl.pem -text | grep Update”, check that “Next Update” is a date in the future.

5. Go home for tea and medals as your OpenVPN server should now be working and letting clients connect 🙂