Maybe it's just my configuration, but I just re-created a new PKI using
the easy-rsa scripts. The issue is that the "keys" directory is
readable only by root, AS IT SHOULD BE, but if I tell openvpn to use
--crl-verify it doesn't do this until well after it's initialization,
only when a client connects. I think this makes sense from a timeline,
how can you verify what you don't know about? :-) However, at this
point openvpn has demoted itself and so it cannot read the crl file
from inside the keys directory.
As a temporary fix, I've changed the easy-rsa openvpn.cnf file to put
the crl.pem file out where it's not so highly protected and is readable
by a group that openvpn runs in. Is this a good compromise?
Openvpn-users mailing list