When configuring an OpenVPN server where the "Certificate Revocation List" is in OPNsense's Trust store and where "Verify Client Certificate" is set to "required", the OpenVPN server logs the following warnings:
2025-07-07T20:10:22 Warning openvpn_server1 {IP_REDACTED}:57866 CRL: cannot read CRL from file /var/etc/openvpn/server-2eb6ff80-fa3f-4c59-a785-acca7c44f471.crl-verify
2025-07-07T20:10:22 Warning openvpn_server1 {IP_REDACTED}:57866 OpenSSL: error:0480006C:PEM routines::no start line:
2025-07-07T20:10:22 Warning openvpn_server1 {IP_REDACTED}:57866 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (none : 0), Properties (<null>)
My first thought was that perhaps the CRL is malformed, but when verifying the contents of the CRL file with openssl, the CRL seems to be valid:
root@mono:~ # openssl crl -in /var/etc/openvpn/server-2eb6ff80-fa3f-4c59-a785-acca7c44f471.crl-verify -inform PEM -CAfile ca.crt -noout
verify OK
There also shouldn't be a problem with file permissions – the CRL file has 644 permissions and its parent directories are world accessible. Besides, the OpenVPN server process runs as root.
The structure of the CRL file is:
-----BEGIN X509 CRL-----
BASE64 CRL
-----END X509 CRL-----
When revoking certificates, it appears that the OpenVPN server can actually read the CRL, as the revoked certs can no longer be used to connect to the OpenVPN server. However, seeing those warnings still makes me feel uneasy. Any thoughts on what's causing these warnings? Am I in for further problems down the line?
All of this is happening on OPNsense 25.1.10-amd64.