Expired CRL file prevents all users from connecting to OpenVPN Server

[twocs]

The easy-rsa/easyrsa3/vars.example file describes EASYRSA_CRL_DAYS as a soft problem. But in reality it appears to prevent anyone from connecting to the server. I don't expect it's a fun Easter egg to discover when our VPN servers fail just because we trusted the defaults and nobody has left the company in 180 days.

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.

#set_var EASYRSA_CRL_DAYS       180

In my opinion, the code comment that "the CRL can still be parsed", does not match the actuality that everyone's getting a CRL expired error, precluding accessing the server. I believe that the code comment was written prior to OpenVPN 2.4 when the CRL method became "processed much more rigidly than before" https://community.openvpn.net/openvpn/wiki/CertificateRevocationListExpired.

Other people describe the actual behaviour of this environment variable as:

make client fail to connect if the date past
pivpn/pivpn#567 (comment)

all VPN connections went down
https://www.reddit.com/r/OpenVPN/comments/11951c8/is_this_a_maintenance_item_easyrsa_gencrl/

my clients cannot connect... Debian [said] i should regenerate the CRL because it expired
https://forums.openvpn.net/viewtopic.php?t=23166#p67004

no further connections are allowed, even if other certs/keys themselves are still valid
https://forums.openvpn.net/viewtopic.php?t=27090#p81328

See easyrsa help gen-crl
https://github.com/OpenVPN/easy-rsa/wiki/EasyRSA-Renewal#-update-crl
(note that this comment simply indicates that gen-crl is an important part of ongoing maintenance, but this Wiki entry could also use a bit of context, since the output of easyrsa help gen-crl is simply: gen-crl Generate a CRL.).

The real fix seems to be to make SSL be able to parse the CRL after EASYRSA_CRL_DAYS, but an acceptable fix might simpy be to update the code comment to reflect the seriousness of this variable, such as:

# How many days until the next CRL publish date?  Note that the CRL will cease to 
# work after this timeframe passes. OpenVPN will respond to connection requests 
# with "VERIFY ERROR, CRL has expired" if the age of the CRL exceeds the days set.
#
#set_var EASYRSA_CRL_DAYS	180

Additionally, would you recommend that the value of 180 be increased to 825 or something high, to match the other defaults like EASYRSA_CERT_EXPIRE?

[TinCanTech]

I agree that the comment in the vars file could be improved.

FTR, this is not an easter-egg, this is how a CRL functions.

[dxdxdt]

I second this. Same issues with Dovecot. I reckon this is the default behaviour of OpenSSL.

[TinCanTech]

To clarify, OpenVPN behavior was changed in commit OpenVPN/openvpn@160504a.

This change invalidated this comment in Easy-RSA vars.example:

# How many days until the next CRL publish date?  Note that the CRL can still
# be parsed after this timeframe passes. It is only used for an expected next
# publication date.
#
#set_var EASYRSA_CRL_DAYS	180

This will be corrected before Easy-RSA release 3.2.2.

Also, improve the Easy-RSA command gen-crl output, to high-light this behavior change.

[dxdxdt]

@TinCanTech What are you doing on Sunday?!

Yes. The users should decide if they'd update CRL every 6 months or just set EASYRSA_CRL_DAYS with that of CA.