Certificates remain in terraform-aws-openvpn s3 backup after running openvpn-admin revoke
A customer asked: > Hi, how do we remove users from openvpn after they have left the company? I issued openvpn-admin revoke and it appeas to have worked but we still see the certificates in the s3 backup.
Revoking the certificate from the openvpn server does not also remove it from the s3 backup. When a cert is revoked, the backup should contain both the previously issued cert, and the CRL (certificate revoke list) indicating that cert is revoked. When the server is replaced, the certs should get loaded along with the CRL. The CRL gets stored in the openvpn directory, which is backed up by https://github.com/gruntwork-io/terraform-aws-openvpn/blob/master/modules/backup-openvpn-pki/bin/backup-openvpn-pki#L43, and loaded by init-openvpn here: https://github.com/gruntwork-io/terraform-aws-openvpn/blob/master/modules/init-openvpn/bin/init-openvpn#L96 (note that the CRL is stored as crl.pem)