[EDIT]
No, recreating the ca wasn’t the solution. But removing the CRL solves the error.
There seems to be something wrong with the crl, but I cannot see what. Everything seems to be correct - also the System time!
mhaas@glvr01:~$ sudo openssl crl -in /run/openvpn/vtun0_crl.pem -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = xxxx, L = xxxx, O = ip&xxxx, CN = xxxx Vyos Services on glvr01
Last Update: Sep 30 11:02:19 2024 GMT
Next Update: Oct 1 11:02:19 2024 GMT
Revoked Certificates:
Serial Number: 4C6C070B069FFB5CDFDE94CCCAE1532B53583B8C
Revocation Date: Sep 30 11:02:19 2024 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
3f:ba:21:4f:9c:ed:8d:95:b5:d4:34:b6:56:80:f4:48:03:c2:
8c:af:01:fc:cd:23:b9:73:15:01:71:82:42:f7:a3:30:90:b6:
2b:bd:27:47:00:a9:58:1b:a8:0a:e9:9e:03:55:bb:2b:b6:c0:
14:c5:91:44:20:26:a9:70:b5:69:12:7d:e8:6e:c4:dc:91:e0:
fd:e3:a3:ef:32:69:96:8e:f1:06:64:8a:9e:63:64:34:34:ae:
80:dd:88:3f:e9:53:15:d2:a4:a6:ad:f0:c2:d8:5c:b7:35:49:
c7:dd:5a:91:12:11:19:72:56:72:35:22:8f:fb:d9:aa:f7:81:
01:35:05:63:72:1d:08:f8:4c:ae:bb:d6:97:fa:2f:27:1f:19:
d9:42:97:95:72:15:a6:f1:fd:91:2a:94:e7:7a:f0:94:ed:8a:
a8:19:9f:f0:3a:3e:81:7c:1e:b9:b4:8a:d7:e7:32:2f:79:4c:
a9:f6:02:bb:58:84:ac:d5:19:8e:9b:cd:83:5c:12:82:e2:4a:
06:44:c7:db:ae:36:a4:1b:66:e4:07:02:6f:d9:21:29:9e:e1:
9c:d6:99:eb:d2:e6:1e:00:5a:d1:71:a4:ea:9b:27:65:88:36:
11:be:08:95:d5:aa:b0:12:b7:6f:ca:c8:b3:ec:e6:1b:4f:74:
d8:cc:8f:5a
-----BEGIN X509 CRL-----
MIIB5zCB0AIBATANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJERTEQMA4GA1UE
CAwHQmF2YXJpYTERMA8GA1UEBwwISXNtYW5pbmcxFTATBgNVBAoMDGlwJm1vcmUg
xxxx
Fabx/ZEqlOd68JTtiqgZn/A6PoF8Hrm0itfnMi95TKn2ArtYhKzVGY6bzYNcEoLi
SgZEx9uuNqQbZuQHAm/ZISme4ZzWmevS5h4AWtFxpOqbJ2WINhG+CJXVqrASt2/K
yLPs5htPdNjMj1o=
-----END X509 CRL-----
mhaas@glvr01:~$ sudo openssl x509 -in /run/openvpn/vtun0_cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:8e:43:2b:e3:b1:f4:17:65:56:69:c9:c1:86:96:17:d7:d2:d7:60
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = xxxx, L = xxxx, O = xxxx, CN = xxxx Vyos Services on glvr01
Validity
Not Before: Sep 30 08:25:37 2024 GMT
Not After : Aug 28 08:25:37 2042 GMT
Subject: C = DE, ST = Some-State, L = Some-City, O = xxxx, CN = glvr01.xxxx.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:30:73:8f:4a:d6:4e:7a:76:21:44:a4:e3:61:
19:73:bc:43:80:a8:53:bf:5c:80:6d:d4:18:39:86:
c6:2c:c2:e8:a5:95:67:5a:10:81:f7:63:8a:9c:da:
6c:4a:e4:88:e8:23:e9:f1:fd:9b:e2:84:b3:cc:7c:
54:de:f0:35:54:49:68:9b:de:83:6d:f1:1f:00:d8:
xxxx
4a:6c:2c:11:63:9c:29:04:06:98:9d:17:96:82:3d:
35:c7:88:10:a8:3e:dc:50:e1:a1:72:c8:1a:b9:1f:
4f:52:f5:00:7d:3b:f0:55:65:7b:2d:59:94:0b:8c:
f6:66:7b:5d:74:70:34:64:49:ae:41:4f:73:b5:5e:
71:22:41:e8:ea:68:e1:00:06:0e:d6:e0:15:98:ea:
00:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
4B:58:39:FF:B1:BF:21:BF:BE:75:EA:95:ED:58:96:AA:5D:70:4D:DF
X509v3 Authority Key Identifier:
F3:87:4D:4D:55:62:B9:75:C3:08:05:87:23:A0:5E:E6:2C:67:9C:77
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
36:5a:c5:c5:95:c6:d8:ea:61:e1:f6:5c:e6:a2:f6:0e:3c:2a:
e6:53:43:da:1a:28:36:66:0c:e2:76:35:3c:a2:8a:db:5f:98:
bc:12:4a:b6:ec:b4:19:85:f6:1a:66:f5:1a:ab:ee:ac:54:92:
2d:b5:87:d3:19:e9:d9:72:2f:8f:81:9c:35:bf:aa:54:e6:71:
7d:e7:d2:9e:b1:c2:b6:a2:10:a0:8d:73:fa:6c:9b:be:71:7d:
0d:91:5a:e4:d7:a9:52:36:0d:8f:50:b9:06:2d:b7:5d:c3:9e:
xxxx
xxxx
e2:77:b5:7f:e3:62:27:d0:93:26:a9:46:d4:71:35:da:f3:0c:
0d:92:89:a5:fb:36:a7:b9:13:bb:53:52:9d:46:a7:5b:df:23:
03:d4:37:79:cf:98:e0:46:1b:a9:03:86:43:2b:3e:c1:66:59:
75:df:f6:fe:ff:52:fb:aa:99:a3:60:e7:6d:d8:32:d9:7f:0f:
52:72:22:33:d6:90:13:ab:3f:3b:69:3b:2e:d3:56:a2:22:fe:
d4:ee:ff:02:fb:d7:ea:cb:4f:14:00:8c:94:f5:7b:2a:78:d2:
69:b0:7b:cb
-----BEGIN CERTIFICATE-----
MIID5DCCAsygAwIBAgIUAY5DK+Ox9BdlVmnJwYaWF9fS12AwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExETAPBgNVBAcMCElz
bWFuaW5nMRUwEwYDVQQKDAxpcCZtb3JlIEdtYkgxKjAoBgNVBAMMIWlwYW5kbW9y
xxxx
LGecdzANBgkqhkiG9w0BAQsFAAOCAQEANlrFxZXG2Oph4fZc5qL2Djwq5lND2hoo
NmYM4nY1PKKK21+YvBJKtuy0GYX2Gmb1GqvurFSSLbWH0xnp2XIvj4GcNb+qVOZx
fefSnrHCtqIQoI1z+mybvnF9DZFa5NepUjYNj1C5Bi23XcOe9DgxWND3RMmFXWJq
A48lAyOT7/I4noOYAuSK4qIuWsiTqDA24ne1f+NiJ9CTJqlG1HE12vMMDZKJpfs2
p7kTu1NSnUanW98jA9Q3ec+Y4EYbqQOGQys+wWZZdd/2/v9S+6qZo2Dnbdgy2X8P
UnIiM9aQE6s/O2k7LtNWoiL+1O7/AvvX6stPFACMlPV7KnjSabB7yw==
-----END CERTIFICATE-----
mhaas@glvr01:~$ sudo openssl x509 -in /run/openvpn/vtun0_ca.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:82:20:06:f6:ae:b8:1f:5b:85:2f:cd:1d:76:92:ba:02:7c:de:59
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = xxxx, L = xxxx, O = xxxx, CN = xxxx Vyos Services on glvr01
Validity
Not Before: Sep 30 08:21:00 2024 GMT
Not After : Apr 1 08:21:00 2046 GMT
Subject: C = DE, ST = xxxx, L = xxxx, O = xxxx, CN = xxxx Vyos Services on glvr01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:78:15:01:7a:76:97:61:c7:51:e7:dc:58:b4:
21:99:67:d7:bd:e9:c9:7f:37:66:9b:2e:99:99:db:
1a:c7:f2:50:6f:45:57:1e:c8:04:ab:ba:65:6b:65:
a6:81:5e:67:9d:85:eb:b5:41:6d:97:af:ce:aa:f3:
a0:ff:e6:ce:2e:a6:94:91:d0:ed:07:3f:cb:84:76:
26:46:fa:9f:f7:cc:b5:0d:39:dc:9d:af:34:4d:dd:
c9:df:c6:32:e5:d8:e7:b4:a1:b9:c3:b1:ff:00:84:
xxxx
xxxx
2a:9e:53:2f:34:2f:fb:c5:9c:06:a2:9f:7c:78:da:
d6:61:97:4e:49:ac:4e:b9:f7:a3:16:27:20:82:ad:
f2:9b:d5:72:1a:33:f1:c7:92:39:b8:f9:55:0a:81:
3b:61:c0:12:26:ff:84:91:44:ed:01:7f:ab:77:48:
05:62:cd:d8:da:3d:6d:08:65:c8:04:08:74:b9:aa:
3d:de:88:41:10:d1:e2:e9:1c:34:46:a0:77:56:c8:
4f:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
F3:87:4D:4D:55:62:B9:75:C3:08:05:87:23:A0:5E:E6:2C:67:9C:77
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
0e:41:d8:23:22:2d:ae:d2:90:06:6a:6a:db:9d:4e:61:df:08:
dd:44:aa:68:68:06:9c:9d:be:8f:53:50:1d:f5:2c:0e:6e:c2:
40:38:76:1f:6e:df:56:c7:74:ee:ee:fa:66:67:ac:5a:44:bb:
8e:f8:a6:c6:8e:52:08:6e:95:4d:b9:bc:9e:89:75:4c:7d:91:
aa:00:ed:1a:ff:22:d8:2b:30:6e:c8:92:10:db:18:35:a5:15:
xxxxx
93:bd:30:be:f1:b5:4f:9e:35:cb:a2:71:13:52:8f:c6:95:d7:
18:da:55:90:b1:b5:e6:e7:bc:1b:79:ec:5d:4b:5a:27:ee:5d:
61:ad:f6:a7:87:a8:b5:e9:b9:54:31:3d:38:8e:87:42:78:c4:
c5:4f:a0:81:a3:b3:70:57:0e:11:5a:21:d1:49:33:6f:14:70:
00:68:f4:7c
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIUDIIgBvauuB9bhS/NHXaSugJ83lkwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExETAPBgNVBAcMCElz
bWFuaW5nMRUwEwYDVQQKDAxpcCZtb3JlIEdtYkgxKjAoBgNVBAMMIWlwYW5kbW9y
xxxx
BggrBgEFBQcDATAdBgNVHQ4EFgQU84dNTVViuXXDCAWHI6Be5ixnnHcwDQYJKoZI
hvcNAQELBQADggEBAA5B2CMiLa7SkAZqatudTmHfCN1EqmhoBpydvo9TUB31LA5u
wkA4dh9u31bHdO7u+mZnrFpEu474psaOUghulU25vJ6JdUx9kaoA7Rr/ItgrMG7I
khDbGDWlFdL6W2i2eJpwZDVRJBlZMCZ+K+Y+yLp5DFHg2682lqobQaybTZrgKD21
J1WGEUHah/vXHUkLJNSBgNmphTtk3P+svUSuIpvGq4v03DBK9Iz21jkJuJ7MBArB
B5O9ML7xtU+eNcuicRNSj8aV1xjaVZCxtebnvBt57F1LWifuXWGt9qeHqLXpuVQx
PTiOh0J4xMVPoIGjs3BXDhFaIdFJM28UcABo9Hw=
-----END CERTIFICATE-----
mhaas@glvr01:~$ show pki
Certificate Authorities:
Name Subject Issuer CN Issued Expiry Private Key Parent
---------------- ------------------------------------------------------------------------------ ------------------------------------ ------------------- ------------------- ------------- --------
glvr01-device-ca CN=xxxx Vyos Services on glvr01,O=xxxx,L=xxxx,ST=xxxx,C=DE CN=xxxx Vyos Services on glvr01 2024-09-30 08:21:00 2046-04-01 08:21:00 Yes N/A
Certificates:
Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present
----------- ------ -------------------------- ------------------------------------ ------------------- ------------------- --------- ------------- ----------------------
heinz Client CN=heinz CN=xxxx Vyos Services on glvr01 2024-09-30 08:27:14 2025-09-30 08:27:14 Yes Yes Yes (glvr01-device-ca)
mhaas Client CN=mhaas CN=xxxx Vyos Services on glvr01 2024-09-30 08:49:17 2042-08-28 08:49:17 No Yes Yes (glvr01-device-ca)
openvpn1194 Server CN=glvr01.ext.ipandmore.de CN=xxxx Vyos Services on glvr01 2024-09-30 08:25:37 2042-08-28 08:25:37 No Yes Yes (glvr01-device-ca)
Certificate Revocation Lists:
CA Name Updated Revokes
---------------- ------------------- ---------
glvr01-device-ca 2024-09-30 11:02:19 heinz
Even after a reboot the same openvpn-error occurs, if I recreate the crl:
VERIFY ERROR: depth=0, error=CRL is not yet valid
.
On some old Openvpn-Threads on the internet, I saw an old problem with openvpn-servers that have another tinezone than utc - my vyos has Europe/Berlin.