Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-19908

VPN Drops All Connections Due to CRL Expiration

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Commercial
    • Affects Version/s: 14.0.3.1
    • Fix Version/s: None
    • Labels:
      None
    • ToDo:
    • Asterisk Version:
      13
    • Distro Version:
      14
    • Distro:
      FreePBX Distro

      Description

      (Occurred on two different deployments, set up a two different times directly from the FreePBX Distro)

      VPN (OpenVPN) was working fine, then suddenly all phones can no longer connect to it. The OpenVPN log shows this (date/time/ip address removed for readability):

      > TLS_ERROR: BIO read tls_read_plaintext error
      > TLS Error: TLS object -> incoming plaintext read error
      > TLS Error: TLS handshake failed
      > SIGUSR1[soft,tls-error] received, client-instance restarting
      > VERIFY ERROR: depth=0, error=CRL has expired: CN=client14
      > OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

       

      To fix it, I disabled then enabled the VPN from System Admin. All extensions reconnected to the VPN successfully shortly thereafter.

      Based on posts on OpenVPN's forums, it is likely an issue of regenerating the CRL. The expiration can be prevented by putting in a far-into-the-future CRL nextUpdate expiration value. See this article:

      https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired

       

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                drummerjoe drummerjoe
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.