[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] easyrsa & crl-verify after demotion ?

  • Subject: [Openvpn-users] easyrsa & crl-verify after demotion ?
  • From: Steven Palm <n9yty@xxxxxxxxx>
  • Date: Mon, 13 Dec 2004 12:53:11 -0600

Maybe it's just my configuration, but I just re-created a new PKI using the easy-rsa scripts. The issue is that the "keys" directory is readable only by root, AS IT SHOULD BE, but if I tell openvpn to use --crl-verify it doesn't do this until well after it's initialization, only when a client connects. I think this makes sense from a timeline, how can you verify what you don't know about? :-) However, at this point openvpn has demoted itself and so it cannot read the crl file from inside the keys directory.

As a temporary fix, I've changed the easy-rsa openvpn.cnf file to put the crl.pem file out where it's not so highly protected and is readable by a group that openvpn runs in. Is this a good compromise?

Openvpn-users mailing list