Openvpn on pfsense treats valid certificates as REVOKED
-
Hi all, I have a problem with crl.
all ssl stuff was imported from linux server which has to be replaced by pfsense (but I need preserve all certificates as is).
Certificates are up to date, and working without crl check.
But when I try to implement this useful feature - I get next error:TLS: Initial packet from 60.234.20.25:49021, sid=5342fd0e 65634748
CRL CHECK FAILED: /C=NZ/ST=Area/L=City/O=My_Conpany/CN=OpenVPN_CA/emailAddress=support@mycompany.com is REVOKED
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting
TCP/UDP: Closing socketCould anybody point me on what I'm doing wrong here?
Many thanks in advanceopenvpn –version
OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC info@openvpn.net# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=NZ/ST=Area/L=City/O=My Conpany/CN=OpenVPN CA/emailAddress=support@mycompany.com
Last Update: Sep 21 02:59:33 2009 GMT
Next Update: Oct 21 02:59:33 2009 GMT
Revoked Certificates:
Serial Number: 00
Revocation Date: Jul 9 03:42:27 2009 GMT
Serial Number: 01
Revocation Date: Jul 9 03:45:03 2009 GMT
Serial Number: 02
Revocation Date: Jul 9 03:44:20 2009 GMT
Serial Number: 03
Revocation Date: Jul 9 03:46:00 2009 GMT
Serial Number: 05
Revocation Date: Jul 16 05:13:08 2009 GMT
Serial Number: 06
Revocation Date: Jul 16 04:36:29 2009 GMT
Signature Algorithm: md5WithRSAEncryption
be:a7:5e:9d:7e:61:eb:f1:14:34:9e:29:89ed:ac:50:5e:
….(test certificate - taphy.crt - has Serial Number 07 - not in crl at all)
crl test from command line is ok:
cat openvpn_server0.ca openvpn_server0.crl > test-crl.pem
openssl verify -CAfile test-crl.pem -crl_check taphy.crt
taphy.crt: OK/info@openvpn.net
-
Hi again,
it is actually my imported from linux ca.crt reported as revoked.. Is it possible add this one as trusted or renew somehow? -
solved, :) I had to be more attentive to my index.txt and ca.crt content..
my old ca.crt has serial 00 (not sure why - historical) and .. of course it was treated as revoked by crl as far as there was client certificate with the same serial number, wich was revoked ages ago and ..there were no any crl checks (historical again)
unfortunatelly I have just two ways.. rebuild all certificates or make client certificate with serial 00 valid ( first is better )