51工具盒子突然客户端无法正常连接,检查网络端口都是正常的。
客户端日志为
2024-06-06 20:36:35 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-06 20:36:35 VERIFY EKU OK
2024-06-06 20:36:35 VERIFY OK: depth=0, CN=lolicp
2024-06-06 20:37:35 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-06-06 20:37:35 TLS Error: TLS handshake failed
2024-06-06 20:37:35 SIGUSR1[soft,tls-error] received, process restarting
2024-06-06 20:37:35 MANAGEMENT: >STATE:1717677455,RECONNECTING,tls-error,,,,,
2024-06-06 20:37:35 Restart pause, 300 second(s)
2024-06-06 20:39:55 MANAGEMENT: Client disconnected
2024-06-07 08:16:16 Note: ovpn-dco-win driver is missing, disabling data channel offload.
服务端日志为
2024-06-07 08:19:14 111.31.3.154:32175 SIGUSR1[soft,tls-error] received, client-instance restarting
2024-06-07 08:19:17 120.245.20.41:23776 VERIFY ERROR: depth=0, error=CRL has expired: CN=zxe, serial=276500235251973918625170023597298881360
2024-06-07 08:19:17 120.245.20.41:23776 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
2024-06-07 08:19:17 120.245.20.41:23776 TLS_ERROR: BIO read tls_read_plaintext error
2024-06-07 08:19:17 120.245.20.41:23776 TLS Error: TLS object -> incoming plaintext read error
2024-06-07 08:19:17 120.245.20.41:23776 TLS Error: TLS handshake failed
解决办法
检查crl证书
根据上述日志可以发现是CRL has expired,手动检查到期时间。
[root@lolicp ssl]# openssl crl -in crl.pem -issuer -hash -lastupdate -nextupdate
issuer=/CN=loli
8f24a61c
lastUpdate=Dec 9 09:41:00 2023 GMT
nextUpdate=Jun 6 09:41:00 2024 GMT
-----BEGIN X509 CRL-----
MIIBnTCBhgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQWDDARsb2xpFw0yMzEy
MDkwOTQxMDBaFw0yNDA2MDYwOTQxMDBaoEMwQDA/BgNVHSMEODA2gBQtjyAxT2mp
twHOhn0o7pmUMH5fBaETpBEzDzENMAsGA1UEAwwEbG9saYIJAOH6c74BNoW0MA0G
CSqGSIb3DQEBCwUAA4IBAQC9Ga/YZ2prFAJ4ajHEgHnpXVcB6W0qrdjVVgHOvgBH
8cV1c7XSYjLP5vOOqlFjuOSyIlxhOq68XqHV9v5EBZQm/adBqi3XyjWQVoGAPG6g
uCh+umaMD8+3fdrWKK+xVYwlsGVFSHyRUO5yR5f15jPy77cG9bC3/VIJ7O3yoHlC
Zkvpo1hey1PuD4pNDWFb/XISDBXOdCz3Q8M50rXGK2IlbjY/kUK2oiGUTFHIqthP
ab5OWLRTXzfqufuMGkTXS3BrjhDFiaA+/ffTH/QjZUhnpje/d5rPOPVY8MLxxIRo
p9iCjTb4sA0o4pY2GWCkARD3z40NKBg0/RB/8Tnx5VDf
-----END X509 CRL-----
根据检查发现crl有效期6个月,有点短。
生成crl证书
编辑配置文件vars,添加或修改crl有效天数:
set_var EASYRSA_CRL_DAYS 365
生成crl证书,拷贝至配置指定的目录。
[root@VM-8-11-centos easy-rsa]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: /opt/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /opt/openvpn/easy-rsa/pki/easy-rsa-24772.ZZ3dWm/tmp.4dfdTz
Enter pass phrase for /opt/openvpn/easy-rsa/pki/private/ca.key:
`An updated CRL has been created.
CRL file: /opt/openvpn/easy-rsa/pki/crl.pem`
验证crl
[root@lolicp ssl]# openssl crl -in crl.pem -issuer -hash -lastupdate -nextupdate
issuer=/CN=loli
8f24a61c
lastUpdate=Jun 7 00:23:18 2024 GMT
nextUpdate=Jun 7 00:23:18 2025 GMT
-----BEGIN X509 CRL-----
MIIBwzCBrAIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARsb2xpFw0yNDA2
MDcwMDIzMThaFw0yNTA2MDcwMCIzMThaMCQwIgIRAPeP3EtYrTfTUL2HaX0jBnMX
DTIzMTIwOTA5NTQwOFqgQzBBMD8GA1UdIwQ4MDaAFC2PIDFPaam3Ac6GfSjumZQw
fl8FoROkETAPMQ0wCwYDVQQDDARsb2xpggkA4fpzvgE2hbQwDQYJKoCIhvcNAQEL
BQADggEBADi3m3lJO3xixKKgkt6uhFLqyGIf4XgNHwji/FAW9GNmfM+j1jDKDN1g
gehzZtZEXbIGGOEIKn8/eZZK7KMC3oHReB45ksANXzZJWMIMMsIAsoqZXPiuoF5v
lQDYYFesFaWUGytWvvW7dAmBRyNwQVoZUSwW4PBNpOejhM7G0uJnhlbYPIxN5HT9
7xfuI1M3zPlvZHZJBhmZDye6ubFH53Dk02SkVuHKJLGwD8nsnCZ4Cj3z9e+Q5dSL
fVKnHdySUofz9jAWcmS9ozbuimGZjnXmSvVPTmGu1HBvCdZnL5XCaR6eKySrbt8s
eW3srAACGnh+7NHS1Cv308ya/PtVB7c=
-----END X509 CRL-----
