Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn on pfsense treats valid certificates as REVOKED

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      taphy
      last edited by

      Hi all, I have a problem with crl.
      all ssl stuff was imported from linux server which has to be replaced by pfsense (but I need preserve all certificates as is).
      Certificates are up to date, and working without crl check.
      But when I try to implement this useful feature - I get next error:

      TLS: Initial packet from 60.234.20.25:49021, sid=5342fd0e 65634748
      CRL CHECK FAILED: /C=NZ/ST=Area/L=City/O=My_Conpany/CN=OpenVPN_CA/emailAddress=support@mycompany.com is REVOKED
      TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      TLS Error: TLS object -> incoming plaintext read error
      TLS Error: TLS handshake failed
      Fatal TLS error (check_tls_errors_co), restarting
      SIGUSR1[soft,tls-error] received, client-instance restarting
      TCP/UDP: Closing socket

      Could anybody point me on what I'm doing wrong here?
      Many thanks in advance

      openvpn –version

      OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov  9 2008
      Developed by James Yonan
      Copyright (C) 2002-2005 OpenVPN Solutions LLC info@openvpn.net# openssl crl -in crl.pem  -text -noout
      Certificate Revocation List (CRL):
              Version 1 (0x0)
              Signature Algorithm: md5WithRSAEncryption
              Issuer: /C=NZ/ST=Area/L=City/O=My Conpany/CN=OpenVPN CA/emailAddress=support@mycompany.com
              Last Update: Sep 21 02:59:33 2009 GMT
              Next Update: Oct 21 02:59:33 2009 GMT
      Revoked Certificates:
          Serial Number: 00
              Revocation Date: Jul  9 03:42:27 2009 GMT
          Serial Number: 01
              Revocation Date: Jul  9 03:45:03 2009 GMT
          Serial Number: 02
              Revocation Date: Jul  9 03:44:20 2009 GMT
          Serial Number: 03
              Revocation Date: Jul  9 03:46:00 2009 GMT
          Serial Number: 05
              Revocation Date: Jul 16 05:13:08 2009 GMT
          Serial Number: 06
              Revocation Date: Jul 16 04:36:29 2009 GMT
          Signature Algorithm: md5WithRSAEncryption
              be:a7:5e:9d:7e:61:eb:f1:14:34:9e:29:89🆎ed:ac:50:5e:
              ….

      (test certificate - taphy.crt -  has Serial Number 07 - not in crl at all)

      crl test from command line is ok:

      cat openvpn_server0.ca  openvpn_server0.crl > test-crl.pem

      openssl verify -CAfile test-crl.pem  -crl_check taphy.crt

      taphy.crt: OK/info@openvpn.net

      1 Reply Last reply Reply Quote 0
      • T Offline
        taphy
        last edited by

        Hi again,
        it is actually my imported from linux ca.crt reported as revoked.. Is it possible  add this one as trusted or renew somehow?

        1 Reply Last reply Reply Quote 0
        • T Offline
          taphy
          last edited by

          solved, :) I had to be more attentive to my index.txt and ca.crt content..

          my old ca.crt has serial 00 (not sure why - historical) and .. of course it was treated as revoked by crl as far as there was client certificate with the same serial number, wich was revoked ages ago and ..there were no any crl checks (historical again)
          unfortunatelly I have just two ways.. rebuild all certificates or make client certificate with serial 00 valid ( first is better )

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.