Certificate manager : CRL is not working

jimp

Did you import the private key of your CA? You can't revoke certificates without the private key of the CA. I thought I had added code to check for that recently, you might want to update to a more recent snapshot.

I'll have to look at the code but it would be helpful to know exactly what you imported.

Elodie

Hi Jimp,

I imported the private key as well.
I tried to use auto update twice which did not work. I checked "Allow auto-update firmware images with a missing or invalid digital signature to be used" and then I invoked auto-upgrade. latest.gz was downloaded but the upgrade did not work here logs.

firmware_update_misc_log.txt

/etc/rc.firmware: /etc/rc.firmware_notify: not found
fdisk: invalid fdisk partition table found
bsdlabel: /dev/ad0s3: no valid label found
firmware_update_misc_log.txt (END)

upgrade_log.txt

NanoBSD Firmware upgrade in progress...

Installing /root/latest.tgz.
SLICE         1
OLDSLICE      2
TOFLASH       ad0s1
COMPLETE_PATH ad0s1a
GLABEL_SLICE  pfsense0
Tue May  3 14:52:21 CEST 2011

total 8
dr-xr-xr-x   8 root  wheel         512B May  3 11:18 .
drwxr-xr-x  24 root  wheel         512B May  3 11:18 ..
crw-r-----   1 root  operator    0,  54 May  3 11:18 ad0
crw-r-----   1 root  operator    0,  55 May  3 11:18 ad0s1
crw-r-----   1 root  operator    0,  58 May  3 11:18 ad0s1a
crw-r-----   1 root  operator    0,  56 May  3 11:18 ad0s2
crw-r-----   1 root  operator    0,  59 May  3 11:18 ad0s2a
crw-r-----   1 root  operator    0,  57 May  3 11:18 ad0s3
crw-------   1 root  operator    0,  28 May  3 11:18 ata
crw-------   1 root  wheel       0,  11 May  3 11:18 bpf
lrwxr-xr-x   1 root  wheel           3B May  3 11:18 bpf0 -> bpf

fdisk_upgrade_log.txt

Before upgrade fdisk/bsdlabel
******* Working on device /dev/ad0 *******
parameters extracted from in-core disklabel are:
cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl)

Figures below won't work with BIOS for partitions not in cyl 1
parameters to be used for BIOS calculations are:
cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl)

Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS bootblock is:
The data for partition 1 is:
sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
    start 63, size 3861585 (1885 Meg), flag 0
        beg: cyl 0/ head 1/ sector 1;
        end: cyl 758/ head 15/ sector 63
The data for partition 2 is:
sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
    start 3861711, size 3861585 (1885 Meg), flag 80 (active)
        beg: cyl 759/ head 1/ sector 1;

I can try a manual update but I don't think this will change something :-/. I installed a fresh pfsense maybe in April, 10 and I upgraded to the version I use (April 8 ). If I make a new fresh installation and upgrade to May 3, could I use the same config.xml file ?

Elodie

Nachtfalke

Yes you could use the same config.xml file.
You could change between x86 and x64 and use the same config.xml file. thats really nice.

I didn't have a look at your post and opend a new one today. I have many problems with the CRL and OpenVPN, too. Perhaps you could help me or try with your configuration if the same problems occure !?
http://forum.pfsense.org/index.php/topic,36414.0.html

Elodie

Hi jimp,

I reinstalled pfsense in a soekris box, I uploaded my config.xml and updated pfsense (2.0-RC1 (i386) built on Mon May 9 04:20:45 EDT 2011).

I still have error 500 when I revoke a certificate when I don't choose "Unspecified" as a revokation reason.
I still have a 0 bytes server1.crl-verify file and I added certificates to revoke.
I still have a error when I try to connect to openVPN server because of the empty file.

Any idea ?

Elodie

jimp

2 and 3 I am working on. I still can't reproduce 1 and have no idea where that could be coming from.

Elodie

Thanks for working on it.

About 1, do you need extra logs or information ?

edit : I have this on system log when the error occurs "May 10 17:40:53 kernel: pid 50832 (php), uid 0: exited on signal 11 (core dumped)"
I don't think this will help….

Elodie

jimp

That basically just means that php crashed when it tried to do that, which explains the 500 error.

There may be some character or input in the ca/cert that isn't valid.. not sure what it could be though. Is this a ca/cert you generated yourself, or an imported one?

Elodie

Hi jimp,

That was a certificate we generated for an our old pfsense 1.2.0 which was working very well ;-)
I imported the CA/CA private key and every user certificate/user private key in the cert manager….

Elodie

jimp

It may be something specific to that ca then somehow. No matter what I do, I haven't been able to replicate that crash, even when I import a ca.

Elodie

I could make some test with an other CA to see if this come from this CA.

Elodie

Hi Jimp,

I updated to RC2 and I did some tests today. I imported an other CA (not the one I used before). I do not have the 500 error with this certificate and I do not have an empty crl.

About the other certificate (the one I had problems with), I delete old crl and created a new one. I still have the empty crl and 500 error.
Then I realize that the difference between those two is that the one I have problem with have an encrypted private key. I think that the source of my problem. I hope this can help you to reproduce…

jimp

Yeah, encrypted private keys are not supported and there are no plans to support them. It tries to use them as-is.

We have some code to try to detect them but if you could still import it, it is apparently still a little flawed.