wiki:revoke_openvpn_certificates
This is an old revision of the document!
Table of Contents
Revoke openvpn certificates
To disable specific users from connecting to the VPN you can revoke their certificate.
This assumes you have easy-rsa installed. Basically you need to revoke each certificate according to its CN name (should be same as filename) and recreate the crl.pem file.
First make sure you have
crl-verify /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem
line in your openvpn server.conf. After you add the line restart the server.
Now revoke the cert
/etc/openvpn/EasyRSA-3.1.7# ./easyrsa revoke
and regenerate the crl file
/etc/openvpn/EasyRSA-3.1.7# ./easyrsa gen-crl
You can check the revoked certs via:
/etc/openvpn/EasyRSA-3.1.7# ./easyrsa show-revoke
Now when connecting your client will show this error
unknown[736292]: Connect timer expired, disconnecting. nm-openvpn[736296]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) nm-openvpn[736296]: TLS Error: TLS handshake failed nm-openvpn[736296]: SIGTERM received, sending exit notification to peer
and on server you will see something like
... VERIFY ERROR: depth=0, error=certificate revoked: CN=user1, serial=xxxxxxxxxxxxxxxxxxxxxxx ... OpenSSL: error:0A000086:SSL routines::certificate verify failed ... TLS_ERROR: BIO read tls_read_plaintext error ... TLS Error: TLS object -> incoming plaintext read error ... TLS Error: TLS handshake failed ... SIGUSR1[soft,tls-error] received, client-instance restarting ... CRL: loaded 1 CRLs from file /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem ... TLS Error: Unroutable control packet received from [AF_INET]xxxxxxxxxxxx:41071 (si=3 op=P_CONTROL_V1)
You need to rerun the above steps for each new revoked certificate.
Tested on
- EasyRSA-3.1.7
See also
References
wiki/revoke_openvpn_certificates.1741018463.txt.gz · Last modified: 2025/03/03 16:14 by antisa