New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CRL nextUpdate #4

Open
emerinohdz opened this Issue Jan 7, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@emerinohdz

emerinohdz commented Jan 7, 2018

Hello, since OpenVPN 2.4 CRL is broken when using bytemine to generate it, openvpn needs the nextUpdate field in the future in order to work. Is it possible to change this in bytemine manager?

@dra

This comment has been minimized.

Show comment
Hide comment
@dra

dra Jan 7, 2018

Contributor

Hi.
The "next update" is set to one month ahead from current date whenever the CRL is recreated. So in order to work with OpenVPN 2.4 it has to be recreated regularly.
So in my opinion there a 2 options:

  • recreate the CRL (and set a new next update value) whenever it is uploaded to a server
  • let the CRL be valid for the same period as client certificates are valid

I would implement both, so people using 2.4 should be on the safe side. Would that solve your issue?

Bye, Daniel

Contributor

dra commented Jan 7, 2018

Hi.
The "next update" is set to one month ahead from current date whenever the CRL is recreated. So in order to work with OpenVPN 2.4 it has to be recreated regularly.
So in my opinion there a 2 options:

  • recreate the CRL (and set a new next update value) whenever it is uploaded to a server
  • let the CRL be valid for the same period as client certificates are valid

I would implement both, so people using 2.4 should be on the safe side. Would that solve your issue?

Bye, Daniel

@emerinohdz

This comment has been minimized.

Show comment
Hide comment
@emerinohdz

emerinohdz Jan 8, 2018

Hi, it would be nice to be able to set the next update value. Right now, I haven't been able to find a way to generate the CRL through the GUI, only export it, is it possible to actually generate it! That wouldn't solve the problem, but at least we'll be able to use our CRL again.

emerinohdz commented Jan 8, 2018

Hi, it would be nice to be able to set the next update value. Right now, I haven't been able to find a way to generate the CRL through the GUI, only export it, is it possible to actually generate it! That wouldn't solve the problem, but at least we'll be able to use our CRL again.

@dra

This comment has been minimized.

Show comment
Hide comment
@dra

dra Jan 9, 2018

Contributor

Hi.

Sorry, at the moment there is no time to make this configurable. What I did is as I suggested:

  • the CRL will get a nextUpdate period as long as client certificates are valid
  • on every server sync the CRL will be recreated and the nextUpdate field will be reset

As a workaround to re-create a CRL manually you can revoke and afterwards re-enable a certificate, that will also trigger the CRL generation.

I just pushed my changes and bumped the version to 2.4.0. If you need a .deb package or a .exe file let me know your email address and I sent it over to you.

Hope this helps you fix your troubles.

Contributor

dra commented Jan 9, 2018

Hi.

Sorry, at the moment there is no time to make this configurable. What I did is as I suggested:

  • the CRL will get a nextUpdate period as long as client certificates are valid
  • on every server sync the CRL will be recreated and the nextUpdate field will be reset

As a workaround to re-create a CRL manually you can revoke and afterwards re-enable a certificate, that will also trigger the CRL generation.

I just pushed my changes and bumped the version to 2.4.0. If you need a .deb package or a .exe file let me know your email address and I sent it over to you.

Hope this helps you fix your troubles.

@emerinohdz

This comment has been minimized.

Show comment
Hide comment
@emerinohdz

emerinohdz Jan 9, 2018

Thank you @dra, I'll get the changes from master and generate a new JAR no problem, if I get the time to help this weekend I'll be sure to do it!
Regards.

emerinohdz commented Jan 9, 2018

Thank you @dra, I'll get the changes from master and generate a new JAR no problem, if I get the time to help this weekend I'll be sure to do it!
Regards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment