From 9c0579052f149dd46cc59b1b8bee53f3d54dc785 Mon Sep 17 00:00:00 2001
From: Nyr <me@nyr.be>
Date: Tue, 29 Aug 2017 17:55:14 +0200
Subject: [PATCH] Fix #352

Set EASYRSA_CRL_DAYS to 3650 instead of the default 180.

OpenVPN 2.4+ enforces the nextUpdate value in the CRL as a hard limit,
and will not work if more than 6 months passed since it was generated.
---
 openvpn-install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index f7ec2dc..0a62b8f 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -113,7 +113,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
 			cd /etc/openvpn/easy-rsa/
 			./easyrsa --batch revoke $CLIENT
-			./easyrsa gen-crl
+			EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 			rm -rf pki/reqs/$CLIENT.req
 			rm -rf pki/private/$CLIENT.key
 			rm -rf pki/issued/$CLIENT.crt
@@ -246,7 +246,7 @@ else
 	./easyrsa gen-dh
 	./easyrsa build-server-full server nopass
 	./easyrsa build-client-full $CLIENT nopass
-	./easyrsa gen-crl
+	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
 	# CRL is read with each client connection, when OpenVPN is dropped to nobody