After upgrading to OpenVPN 2.4.0, I got the following error when trying to connect to OpenVPN:
TLS: Initial packet from [AF_INET]x.x.x.x:50263, sid=2bd2de7a bd6f8694 VERIFY ERROR: depth=0, error=CRL has expired: CN=louis OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, client-instance restarting
It appears that OpenVPN 2.4 doesn’t accept CRLs with a nextUpdate value that is in the past.
Fixing this issue is simple: regenerate the CRL.
I used EasyRSA to generate my CRL in the past, so I was able to fix it using these commands:
cd /etc/openvpn/easy-rsa ./easyrsa gen-crl systemctl restart openvpn