Certificate manager : CRL is not working
-
Yes you could use the same config.xml file.
You could change between x86 and x64 and use the same config.xml file. thats really nice.I didn't have a look at your post and opend a new one today. I have many problems with the CRL and OpenVPN, too. Perhaps you could help me or try with your configuration if the same problems occure !?
http://forum.pfsense.org/index.php/topic,36414.0.html -
Hi jimp,
I reinstalled pfsense in a soekris box, I uploaded my config.xml and updated pfsense (2.0-RC1 (i386) built on Mon May 9 04:20:45 EDT 2011).
- I still have error 500 when I revoke a certificate when I don't choose "Unspecified" as a revokation reason.
- I still have a 0 bytes server1.crl-verify file and I added certificates to revoke.
- I still have a error when I try to connect to openVPN server because of the empty file.
Any idea ?
Elodie
-
2 and 3 I am working on. I still can't reproduce 1 and have no idea where that could be coming from.
-
Thanks for working on it.
About 1, do you need extra logs or information ?
edit : I have this on system log when the error occurs "May 10 17:40:53 kernel: pid 50832 (php), uid 0: exited on signal 11 (core dumped)"
I don't think this will help….Elodie
-
That basically just means that php crashed when it tried to do that, which explains the 500 error.
There may be some character or input in the ca/cert that isn't valid.. not sure what it could be though. Is this a ca/cert you generated yourself, or an imported one?
-
Hi jimp,
That was a certificate we generated for an our old pfsense 1.2.0 which was working very well ;-)
I imported the CA/CA private key and every user certificate/user private key in the cert manager….Elodie
-
It may be something specific to that ca then somehow. No matter what I do, I haven't been able to replicate that crash, even when I import a ca.
-
I could make some test with an other CA to see if this come from this CA.
-
Hi Jimp,
I updated to RC2 and I did some tests today. I imported an other CA (not the one I used before). I do not have the 500 error with this certificate and I do not have an empty crl.
About the other certificate (the one I had problems with), I delete old crl and created a new one. I still have the empty crl and 500 error.
Then I realize that the difference between those two is that the one I have problem with have an encrypted private key. I think that the source of my problem. I hope this can help you to reproduce… -
Yeah, encrypted private keys are not supported and there are no plans to support them. It tries to use them as-is.
We have some code to try to detect them but if you could still import it, it is apparently still a little flawed.