Fix for VPN - CRL Expires after 6 Months, Phones Cannot Connect

drummerjoe · May 7, 2020, 10:38pm

This is an issue that I’ve been working with support on for many months, and they have had no success fixing it, so we found a solution ourselves, and are posting here for anyone else who encounters this issue:

We are using the VPN built in to FreePBX (OpenVPN). Every six months the CRL will expire and all phones will stop connecting forcing us to go to the VPN Server and disable > save > enable > save in System Admin to get it to restart and regenerate a new CRL.

To fix this permanently, from SSH/Shell:

Navigate to /etc/openvpn/easyrsa3
Edit openssl-1.0.cnf

Change these parameters to something far in the future (I’ll put 3000 for example)
default_days = 3000
default_crl_days = 3000

Stop the VPN service then start it again

franckdanard · May 11, 2020, 2:01pm

Updating Framework and Certman module, you can set it up this value in: Advanced Settings - Certificate Manager - Validity period of the certificate (in days)

drummerjoe · May 12, 2020, 12:26am

That was the fix that was created and suggested by the support rep in our ticket, but it did not work (tested on 6 different servers, all with latest versions of all modules). The CRL expiration date is unaffected by this change in advanced settings.

system · May 19, 2020, 12:26am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.