Am Tue, 26 Jul 2022 11:05:39 +0200 schrieb "Bernhard M. Wiedemann" <bernhardout@lsmod.de>:

On the server logs I see

2022-07-26 08:53:00 us=422000 195.135.221.27:45738 VERIFY ERROR: depth=0, error=CRL has expired: CN=monitor, serial=24 2022-07-26 08:53:00 us=423632 195.135.221.27:45738 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

even though my client cert says it is valid until 2028.

The problem seems to come from scar:/etc/openvpn/certs/crl.pem Last Update: Jan 26 13:02:32 2022 GMT Next Update: Jul 25 13:02:32 2022 GMT

That originates from /etc/easy-rsa/pki/crl.pem

I made a /etc/easy-rsa/renewcrl.sh to renew it and now everything is back working.

Thanks, Bernhard! That happens, if Lars has other duties ;-) Just in case someone wonders, we have it in our documentation since 'years': https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN_Server_m... Regards, Lars PS: Our monitoring currently reports 1 host and 76 service problems. Most of them related to security updates not being installed. As I am currently busy with other stuff, I hope that someone else can take over the part of "keeping the monitoring green" from me.