Clients can't connect after 2.6.0
-
@stewart
Check this out, please: https://redmine.pfsense.org/issues/13424 -
I've not manually applied patches before. It says:
The patch has been committed into the System Patches package and will be available to users there soon once some work on the build system is complete. In the meantime, users can install the System Patches package and then create an entry for a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2 to apply the fix immediately.
I don't know how to do that. I've installed the System Patches Package. Do I just put in a description and a URL/Commit ID of a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2? What about the rest of the fields?
About auto apply... It seems like if left unchecked then it applies but does not persist after reboot and if checked it is permanently applied and will persist after reboot. Is that correct?
-
@stewart
Add a new patch. Enter a description and the patch ID and save it.
Then you can apply the patch. -
I gave it a description and used a3c1589086ea67d25a28ec14ab95d7fd9ab25fa2 as the ID and saved. I then clicked fetch and viewed it and it seemed right. Then I applied and it said it was successful but the problem still persists.
-
Actually, the diff on that appears to be affecting /src/etc/inc/auth.inc which is something else. Looking in the thread the files that should be adjusted are /src/etc/inc/certs.inc and /usr/local/www/system_crlmanager.php.
-
@stewart
Did you also reboot. CRL expiration is updated at boot.On my home installation this resolves exactly the "OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed" error.
-
@viragomann I have not but I did go into the certs.inc file and the system_crlmanager.php file and it appears that the updated lines are in there. I'll verify I can reboot and will respond when that's done.
-
@viragomann Unfortunately the issue is the same after a reboot.
-
I now see other posts where this seems to have happened when they upgraded to 2.5. We did an inplace upgrade from 2.4.4 to 2.5.0 to 2.6.0. I've now created a second CA, issued a second certificate to a second server, created a second user certificate but it still fails. How common is this issue?
-
OK, so I found this page with a post by anakha that suggests editing /usr/local/sbin/ovpn_auth_verify and changing:
RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
to
RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=\\"$5\\"&serial=$serial&config=$config")
lo and behold, that worked!
Why? What does that do and why is it effective? This post is from 2 years ago. I can't believe this is still a wide spread problem. How can I mitigate this in the future with our other boxes?
Edit: Nope. It worked once and now it fails every time again. Grrr...
-
I may have found the issue but only once I completely removed all of everything and started from scratch. The previous certificate was set for 10 years but the new version shows when setting up a certificate that it should be under 398 days. I've recreated it all from scratch (removed server, certificates, CA) and it's working now. The only problem is that I'll need to reinstall on all of the users since it's all new certificates.
-
-
-