How To Solve Error “CRL: cannot read: crl.pem: Permission denied (errno=13)” In OpenVPN

After enabling CRL checking on my OpenVPN server, I have encountered an annoying permission issue. When I tried connecting from the Android app, the connection would simply timeout. Before enabling CRLs this had never happened, so I realized there must be something wrong with them.

So I looked into the OpenVPN logs (/var/log/openvpn.log) and noticed the following entry:

CRL: cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: Permission denied (errno=13)

The weird thing was that both the crl.pem file and the whole /etc/openvpn folder were owned by root and were perfectly readable with a nano crl.pem when run from the CLI. So from a filesystem point of view, everything looked ok.

Then I remembered these 2 lines from server.conf:

user nobody
group nogroup

This is the user and group that the OpenVPN daemon runs with, while I was tuning the permissions for user root instead. Therefore yes, when logged in as root everything would look ok, but then after starting OpenVPN, this permission issue came up as the user nobody did not have permissions over the CRL file.

The solution?

sudo chown -R nobody:nogroup /etc/openvpn
sudo chmod -R 700 /etc/openvpn

6 Comments

  1. If you would like to be more restrictive, you could go for :
    chgrp nogroup /etc/openvpn/easy-rsa /etc/openvpn/easy-rsa/keys
    chmod g+x /etc/openvpn/easy-rsa /etc/openvpn/easy-rsa/keys

  2. Hi, and thanks for sharing this information.
    I have also problems with crl.pem file but not quite the same.

    The error: CRL: cannot read CRL from file /etc/openvpn/crl.pem occurs one or two times per month. File rights are ok: CRL check OK over 2000 times/hour.

    Best guess is that time by time the crl.pem is somehow locked and openvpn itself can’t handle this kind of situation.

    I can see that you are deep involved into openvpn and I’m asking if you would have anu suggestions or advices how to log/track/getting started solving this problem.

    – Jani

    • Hi Jani,

      If the issue appears to be random in your case then it’s definitely weird. In my case I was getting this issue every time and not just seldom. You say that file permissions are right, what about ownership instead? Who is the owner of the crl.pem file (and of the whole folder it is in)?

      Thanks,
      Daniel

      • We too have same “cannot read CRL from file /etc/openvpn/crl.pem” appearing seldomly.
        The permissions are correct (everyone has a read right), the openvpn process restarts and can read the file again.

Leave a Reply

© 2017 Daniel's TechBlog

Theme by Anders NorénUp ↑

%d bloggers like this: