Bug #8387
closed
Cannot use large CRLs
0%
Description
Attempting to import CRL data for certificate authorities via the "System > Cert. Manager > Certificate Revocation" web interface .
Using the following command to create the X.509 CRL formatted data:
curl https://pki.<redacted>CA.crl | openssl crl -inform DER -out <redacted>_ca_crl.pem
The resulting file appears to be of the correct format as it beings with the BEGIN X509 CRL header and ends with the END X509 CRL footer. The data size is 28M. I am able to paste it into the CRL data field, but I get a "504 Gateway Time-out" a few minutes after clicking "Save".
A message similar to this appears in /var/log/system.log:
Mar 20 14:22:25 firewall firewall nginx: 2018/03/20 14:22:25 [error] 65974#100411: *
Updated by Anonymous over 7 years ago
- Subject changed from Cannot use large number of CRL's to Cannot use large number of CRLs
Updated by Jim Pingle over 7 years ago
- Subject changed from Cannot use large number of CRLs to Cannot use large CRLs
This doesn't seem viable to support, but maybe in the future. The current page and its text-based operation will not properly handle that large amount of data, and it would be too large to keep in the config.xml as well.
To use a large CRL, manually copy the file to the firewall in /conf/, /root/ or a similar stable location and then add a custom crl-verify line to the OpenVPN advanced options.