|
|
Lars Bonnesen escreveu:
>> Yeah .... you're having permission problems on the file.
>>
>> Please note that OpenVPN starts as root, read all the key (CA,
>> server, etc) as root and then drop privileges to the desired user. In
>> your case, nobody.
>>
>> The CRL file is the only key file that is read again in each
>> connection. So, it must be readable to the low-privilege user you
>> choose.
>>
>> The error you're having simply indicates that OpenVPN is not being
>> able to read the file.
>>
>> Fix the permissions problem. Check file permissions as well as
>> directory permissions.
>>
>> When OpenVPN is able to read crl.pem file, you'll get things
>> working the desired way.
>
> Great - thanks for the information. I moved the crl.pem file out of
> the directory (don't want to change permissions on that directory) and
> now OpenVPN can read it (I get connected, and the log is saying CRL
> CHECK OK.
>
> As another one said, I will now setup a cron job so that the file is
> copied once a day (that is adequate for this system).
>
Try modifying the revoke-full and revoke-cert script for doing that
!! I'm sure you'll need no more than 2-3 new lines and it's done.
The idea of revoking a certificate and it still continue valid for
some hours does bother me a lot. If i revoke a certificate, i want the
connection to be denied NOW ... and not in some hours, where the cron
job will run.
OK, once a day can be adequate for your system ... but im sure
modifying the revoke scripts will be extremely easy and you'll get
immediatly revokation working :)
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|