easyrsa3 redux - crl expiry

  • Wed 04 April 2018
  • misc

I run a personal instance of Splunk behind a client cert protected NGiNX proxy.

Suddenly it stopped working. Nothing seemed to have changed. Nothing in my logs either, it was just giving me the 400 page that the client side cert had failed. Nothing in the logs of any use.

What changed? Nothing changed!

Except the clock. Turns out that CRLs expire too, and the default expiration for openssl or easy_rsa3 (not sure which) seems to be 180 days.

Starting up nginx in debug mode yielded this:

2018/04/04 14:07:42 [info] 15800#15800: *3 client SSL certificate verify error: (12:CRL has expired) while reading client request headers, client:, server: splunk.seastrom.com, request: "GET / HTTP/2.0", host: "splunk.seastrom.com"

So I made a change to easy-rsa/easyrsa3/vars thus:

set_var EASYRSA_CRL_DAYS        3600

We'll see if this sticks. I'll try to remember to let you know in another half year.