I have IPSec VPN ikev2 setup for Roadwarrior clients with cert auth and for a few months this works quiet well.
But now Mikrotik started refusing connections, in logs there are "CRL has expired(12) at depth:0" and "can't verify peer's certificate from store".
CRL URL from my CA cert is accessible and according to logs updated correctly. CA and client certs are valid. I have latest RouterOS v6.40.4.
Any advice?

When your CRL has expired, you need to renew it even when you have not revoked any certificates.
Newer versions of the SSL library check this condition, I have also seen it affect completely different programs.
It could also be that the clock of the device that does the check is not synchronized.

Thanks for reply, the CRL has been already renewed as you can see on screenshot from previous post: CRL is valid until 25 Nov.
Clock is synchronized by NTP. But Mikrotik still rejecting connections I have no idea what could be wrong maybe bug in RoS?

Strange, I imported one of the clients certificate on Mikrotik and VPN start working again! Even when I delete this certificate, restarted router and still can connect.
Even more strange is that all of the clients can now connect not only this one with previous uploaded certificate!
But in ipsec logs now is "unable to get certificate CRL" what does not preventing connection.

I have no idea what's going on, it must be some bug in RoS.