./easyrsa gen-crl needs to be run on regular intervals


The CRL of OpenVPN needs to be renewed from time to time, otherwise it will expire and clients will fail. It shows like so in /var/log/daemon.log:

VERIFY ERROR: depth=0, error=CRL has expired: CN=hypervisor

For instance:

$ cd /etc/openvpn/easy-rsa/
$ sudo ./easyrsa gen-crl
$ sudo cp -f pki/crl.pem /etc/openvpn/crl.pem ; sudo chmod +r /etc/openvpn/crl.pem