[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Delete certificates

  • Subject: Re: [Openvpn-users] Delete certificates
  • From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
  • Date: Tue, 05 Jun 2007 09:19:39 -0300

Lars Bonnesen escreveu:
>>    Yeah .... you're having permission problems on the file.
>>    Please note that OpenVPN starts as root, read all the key (CA, 
>> server, etc) as root and then drop privileges to the desired user. In 
>> your case, nobody.
>>    The CRL file is the only key file that is read again in each 
>> connection. So, it must be readable to the low-privilege user you 
>> choose.
>>    The error you're having simply indicates that OpenVPN is not being 
>> able to read the file.
>>    Fix the permissions problem. Check file permissions as well as 
>> directory permissions.
>>    When OpenVPN is able to read crl.pem file, you'll get things 
>> working the desired way.
> Great - thanks for the information. I moved the crl.pem file out of 
> the directory (don't want to change permissions on that directory) and 
> now OpenVPN can read it (I get connected, and the log is saying CRL 
> As another one said, I will now setup a cron job so that the file is 
> copied once a day (that is adequate for this system).

    Try modifying the revoke-full and revoke-cert script for doing that 
!! I'm sure you'll need no more than 2-3 new lines and it's done.

    The idea of revoking a certificate and it still continue valid for 
some hours does bother me a lot. If i revoke a certificate, i want the 
connection to be denied NOW ... and not in some hours, where the cron 
job will run.

    OK, once a day can be adequate for your system ... but im sure 
modifying the revoke scripts will be extremely easy and you'll get 
immediatly revokation working :)


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia

	Minha armadilha de SPAM, NÃO mandem email
	My SPAMTRAP, do not email it

Openvpn-users mailing list