If you are trying to revoke an OpenVPN certificate by using the revoke-full command from within your easy-rsa directory, you might stumble upon the following error message:

error 3 at 0 depth lookup:unable to get certificate CRL

The full standard output from the revoke-full command would look like this:

Using configuration from
error loading the config file ''
3069990096:error:02001002:system library:fopen:No such file or directory:bss_fil e.c:169:fopen('','rb')
3069990096:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
3069990096:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf _def.c:197:
Using configuration from
error loading the config file ''
3070067920:error:02001002:system library:fopen:No such file or directory:bss_fil e.c:169:fopen('','rb')
3070067920:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
3070067920:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf _def.c:197:
cat: crl.pem: No such file or directory
client.crt: C = CO, ST = State, L = City, O = changeme, OU = changeme, CN = client, name = changeme, emailAddress = mail@host.domain
error 3 at 0 depth lookup:unable to get certificate CRL

Notice that there is definitely something wrong here. The command is trying to use the OpenVPN configuration file but is failing to find it (error loading the config file ''). In addition to this, you might also see the following ouput when running source ./vars:

bash: /etc/openvpn/easy-rsa/whichopensslcnf: Permission denied
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/ keys

Both of these errors make it pretty clear that this is a permission issue. If this is your exact scenario, then usually making the whichopensslcnf script executable is enough to make things working again:

chmod 700 whichopensslcnf

Now try sourcing ./vars again and you should not see permission issues anymore. Consequently, running revoke-full should complete successfully with the following message:

error 23 at 0 depth lookup:certificate revoked