"Certificate verification failed to find relevant CRL file" error

[Tim]

I'm trying to use a CRL to revoke a certificate. I've generated the CRL and verified the cert is revoked with 'openssl verify -crl_check ...' and it correctly outputs the cert is revoked. 

When I call options.set_crl_directory with the absolute path to the directory the crl is in, when I connect I just get the log "Certificate verification failed to find relevant CRL file." and allows the connection to succeed.

I have the CRL in both PEM and DER formats in the directory. Does the file have to be a certain name in order for gRPC to find it? Or is there some other reason it can't find it?

[Andrey Ermolov]

Hello Tim,

Could you provide more information about your setup, like grpc stack (C++/Go), grpc version, how CRLs are generated, etc? 

In general, I'd like to encourage you to take a look how updated CRL functionality is organized and test certs/CRLs are generated for it (C++) - https://github.com/grpc/grpc/blob/master/test/core/tsi/test_creds/crl_data/README

[Tim]

Thanks for that link, it was very helpful. It looks like my answer was buried deep within it. That link has 1 subtle difference from what I did which is to run openssl rehash on the directory containing the crl as the final step. This creates a hashed filename linking to the crl and THAT is what openssl is looking for. The documentation for set_crl_directory does say it will "read all hashed x.509 CRL files", but what it fails to mention is that the filename also has to be hashed with openssl rehash. That readme link should also probably mention the same as it doesn't explain why it's running openssl rehash at the end, nor is it obvious.