OpenVPN + wrong CRL shown - revoking Certs doesn't work in all cases
-
Are those old CRLs from CAs you have deleted?
Could be possible. I did some testing with the Cert Manager in the past, creating, deleting and so on. Several new installations -som,etimes with defaul settings, sometimes with a backuped config.xml.
I'm not sure at all but I don't think I have deleted a CA in this config.xml file…I suppose having a CRL there that had no certificates is what made it think it was imported. I'll have to re-check the code and see if there is another way that can happen. It doesn't let you edit in that case because you can't edit an imported CRL.
The problem is that you are working around an almost empty CRL… if you were adding or deleting a second certificate (or a third, fourth, etc) you probably wouldn't be seeing that same behavior.
Ok, this makes sense. Perhaps I will create a "fake" certificate and add this as revoked to the CRL so that I could edit it for future purposes.
Perhaps you could wirte a script which creates a fake cert when bulding a CRL but which is not visible in the GUI !?But why couldn't I reconnect to the OpenVPN server after I canceled the certificate revokation ?
Thanks a lot!
-
Not sure why you couldn't connect offhand. I had disabled selecting CRLs with no certificates revoked before, OpenVPN may not like a blank CRL.
I just make a bunch of various cert/CRL fixes this afternoon, try a snapshot from tomorrow morning and see if you have any better luck.
-
Thank you very much.
I hope I could do some tests, too, with an additional certificate left in the CRL. -
You'll have to clean out the old/invalid CRLs from your config by hand though, the new code wouldn't allow them to still exist but I don't want to delete them automatically.
-
Ok, will try this tomorrow.
Did a quick test now before I go to bed:
Created a new certificate, a new CRL and revoked a cert, restarted my openvpn server two times but could still connect.
I attached you 4 screenshots.
-
I am having the same problem.
running:
2.0-RC1 (i386)
built on Fri May 6 10:38:23 EDT 2011 -
So now you're saying that when you make a CRL and you revoke a cert, nobody can connect? Is the service even running? (Check Status > Services), Does the crl-verify file in /var/etc/openvpn/ for that instance have anything in it?
-
Hi,
1.) I didn't found time to test all scenarios but with snapshot May 7th there is an "edit" button for the CRL with no Certs in it. Great!
2.) After editing the config.xml and deleting the "empty" CRL, the blank entry in OpenVPN Server CRL pulldownmenu disapperead. Great!
Now I'm having another problem:
My CA is "HPA-CA". I created a new CRL called "MYCRL" and added this CRL to the OpenVPN Server config.
After doing this, the OpenVPN server is restarting and no unnormal entries in syslog or syslog openvpn.But after doing this, I cannot connect to this OpenVPN server. Not error log on pfsense and this is the only thing on Windows OpenVPN Client:
Sun May 08 23:00:41 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011 Sun May 08 23:00:41 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Sun May 08 23:00:41 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun May 08 23:00:41 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sun May 08 23:00:41 2011 Control Channel Authentication: using 'pfsense1-UDP-1194-tls-RBS.key' as a OpenVPN static key file Sun May 08 23:00:41 2011 LZO compression initialized Sun May 08 23:00:41 2011 UDPv4 link local (bound): [undef]:1194 Sun May 08 23:00:41 2011 UDPv4 link remote: 11.12.13.14:1194This is repeating every time the keepalive time is over.
If I delete the CRL "MYCRL" in the OpenVPN server config I can reconnect.Further:
Why does the OpenVPN Server config display two CRL: "HPA-CA" which isnt a list, just the name of my CA and then the correct CRL called "MYCRL" ?Thanks in advance!
-
Not sure why it wouldn't connect - it would help to know if you have any certificates revoked in that CRL, and either way it would help to know if /var/etc/openvpn/server<x>.crl-verify contained anything (where <x>is whatever this instance is).
As for that extra CRL entry, it may still be a side effect from hand editing your config, or something else that needs cleaned up.</x></x>
-
Hi,
like I said in my previous post:
I created a new CRL and a new Certificate. Then I revoked this certificate and then canceld the evoke - just to see, if the CRL is empty but with an edit button.
Now the CRL is empty - no revoked certificates in it.The server2.crl-verify file is empty.
–edit--
This are the only both blocks with <crl>in my config.xml:
<crl><refid>4d401a4cb674f</refid> <caref>4d4018ea7d5dd</caref> <serial>10000</serial> <lifetime>9999</lifetime> <text>xxXXxxXXxx</text></crl> <crl><refid>4dc7030fca8f5</refid> <caref>4d445bf7f2a0c</caref> <serial>9999</serial> <lifetime>9999</lifetime></crl> ```</crl> -
That top one is probably from a CA you deleted before (note the caref doesn't match)
OpenVPN may not like a zero-byte crl. I'll have to poke at it some more.
-
I will try to do a complete fresh install of my pfsense to be sure to have no old code fragments in my config.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
-
Thanks jimp,
I hope I will find some time on weekend to test this.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
Good news jimp !
Does that mean we can update our pfsense ? -
It should be in snapshots by now.
-
Great I'll try it tomorow or next week and I'll tell you !
-
Hi,
I did a test today with the CRL but with no success. With the snapshot from today there isn't an empty server2.crl-verify anymore, but there is still the problem that I could not connect to an OpenVPN server when I added there a CRL.
I didn't findeany time to do a complete reinstallation of my pfsense so this could be perhaps the problem.
-
Hi jimp,
bad news :(
I did a complete fresh installation of pfsense and I am on 2.0-RC3 (amd64) built on Sun Jul 3 04:02:48 EDT 2011
I created a new CA, created 2 certs (server + client) and configured a new OpenVPN server. I just can connect if I do not select any CRL in the OpenVPN Server configuration.
I opened an other thread on friday because I didn't remember this thread. Perhaps this will help you a little bit to resolve this error.
http://forum.pfsense.org/index.php/topic,38466.0.htmlThanks for your help!
-
So if you revoke a certificate on the CRL, does it work? Does it still just not like an empty CRL? (Well, it's a valid CRL, just doesn't have any certificates revoked in it)
