How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?

Gertjan · Mar 10, 2021, 7:23 AM

@ramses-sevilla
Aren't these valid like 'ten years' or so ?
See my image above.

ramses.sevilla · Mar 10, 2021, 9:52 AM

Yes, this server certificate is valid for ten years but I am testing the renew certificates option that has been introduced in pfSense 2.5.0 and I can renew de CA Certificate and the User Certificate but when I try to renew the OpenVPN Server Certificate the following error is displayed:

login-to-view

And I don't know why.

Best regards

provels · Mar 10, 2021, 1:37 PM

@ramses-sevilla
Just a guess, but have you tried disabling the server before renewing the certificate?

jimp · Mar 10, 2021, 1:37 PM

@ramses-sevilla said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

Yes, this server certificate is valid for ten years but I am testing the renew certificates option that has been introduced in pfSense 2.5.0 and I can renew de CA Certificate and the User Certificate but when I try to renew the OpenVPN Server Certificate the following error is displayed:

Can you share the details of the certificate as shown in the GUI list and info box (click the "i" icon)? Nothing I have tried has resulted in that error.

@provels said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

@ramses-sevilla
Just a guess, but have you tried disabling the server before renewing the certificate?

That's not necessary, the renewal process will restart servers using the certificate afterward.

ramses.sevilla · Mar 10, 2021, 2:00 PM

@jimp

login-to-view

@provels

Yes, I have tried:

Stopping the server.
Disabling the server.

And I have created a new Server Certificate in pfSense 2.5.0 and I have tried to renew this new Server Certificate and It shows me the same error.

Has anyone tried to renew a Server Certificate in pfSense 2.5.0?

Regards

jimp · Mar 10, 2021, 2:42 PM

I have renewed all kinds of certificates, server and otherwise, in 2.5 and they all work for me. Which leads me to believe it's something in your certificate data triggering the problem.

Can you try adjusting the CN so it doesn't have a space in it?

Not that it should be a problem but typically that's a short name or hostname and not a string like that. I can't recall if I tested that sort of value.

jimp · Mar 10, 2021, 3:41 PM

It's definitely the space in the CN doing it. I can reproduce that here:

https://redmine.pfsense.org/issues/11652

ramses.sevilla · Mar 10, 2021, 4:22 PM

@jimp

To adjust the CN I need create a new certificate, isn't it?

I can't modify the CN of the Server Certificate, isn't it?

The CA has space in the CN and renews the certificate without problem.

I have created a new certificate without spaces in the CN and renews fine.

Will the problem be solved?

Best regards

jimp · Mar 10, 2021, 5:16 PM

@ramses-sevilla said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

@jimp

To adjust the CN I need create a new certificate, isn't it?

Yes, but since it's a server certificate which doesn't need to be sent to clients, that's typically easy, make a new cert, pick it to be used as the server cert, and that's it.

I can't modify the CN of the Server Certificate, isn't it?

Correct.

The CA has space in the CN and renews the certificate without problem.

That's expected as a CA is a different type of entry from a certificate, certificates have a lot more data in them and a lot more to go wrong.

Will the problem be solved?

Yes, I tracked it down further and the real problem is a lack of SAN entries in the certificate. Normally it will take the common name and add that as a SAN entry, but in these cases that kind of common name cannot be a valid SAN entry. The SAN list ends up empty since there are no manual entries nor the entry for the CN. The certificate renewal code was assuming all certificates have a SAN, which in these cases is not true.

You can install the System Patches package and then create an entry for 09d3fe621a56292817a85a54916e8b99e2b26c00 to apply the fix. With that fix applied, you can renew certificates with spaces or x509-escaped characters in their CN which lack SANs.

ramses.sevilla · Mar 11, 2021, 9:27 AM

@jimp

I have applied the patch and now I can renew the Server Certificate fine in my testing environment.

I have the production environment with a cluster in pfSense 2.4.5-p1. I had thought update to pfSense 2.5.0 because I need renew CA, Server and User Certificates but I have seen in the forum that the update to pfSense 2.5.0 break some services (Hardware, IPsec, DHCP Relay,...) that I have configured in my environment.

I have some doubts:

Do you recommends me wait to the next pfSense version?
Will all patches be included in the next version?
How long will it take to get out the next version?
Can I renew a Certificate without problems if It has expired?

Best regards

jimp · Mar 11, 2021, 2:08 PM

@ramses-sevilla said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

Do you recommends me wait to the next pfSense version?

That's up to you.

Will all patches be included in the next version?

This fix will be, but not every single commit that's happened recently. Primary focus is on fixing regressions and other important behavior that isn't functioning properly.

How long will it take to get out the next version?

Not too long, but we don't have a firm ETA. Sometime in the next few weeks, most likely.

Can I renew a Certificate without problems if It has expired?

Yes, though if you wait until it expires, it may be rejected by clients after it expires.

You could renew the certificate on a 2.5 lab system and then copy the certificate back over into the older configuration and use it there in the meantime.

ramses.sevilla · Mar 15, 2021, 4:45 PM

@jimp

Well, recopiling...

I have a pfSense 2.4.5_1 cluster with OpenVPN Server in production.

This pfSense have:

Certificate Authorities --> ca-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030 (Internal) --> OpenVPN Server

Server Certificate (OpenVPN) --> srv-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030

User Certificate --> usr-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030

To renew the Expiration Date of the Certificates, I need:

First.- I need renew the Expiration Date of the Certificate Authority. I don't need send nothing to the OpenVPN Client nor modify nothing in the OpenVPN Server and everything will continue working fine. Right?
Second.- I need renew the Expiration Date of the Server Certificate. I don't need send nothing to the OpenVPN Client nor modify nothing in the OpenVPN Server and everything will continue working fine. Right?
Third.- I need renew the Expiration Date of the User Certificates. I need resend each renewed certificate to the user. Right?

Doubts:

If expires the Expiration Date of the User Certificate, can I renew and send the renewed certificate later?.

What would happen if the Certificate Authoritie expires?. Would everything still working?. Can I renew the Certificate Authoritie later?

What would happen if the Server Certificate expires?. Would everything still working?. Can I renew the Server Certificate later?

Best regards

ramses.sevilla · Mar 18, 2021, 10:02 AM

@jimp thanks so much by your answers.

I have other issues renewing Certificates.

When I create a new User and I check the option of create Centificate, I select this options:

login-to-view

If I go to "VPN > OpenVPN > Client Export" the new User appear to export it:

login-to-view

Well, if I try renew the Certificate of the new User (usuario2) it shows this:

login-to-view

But I have selected Digest SHA256 when I have created the new User (usuario2).

If I renew the Certificate of the new User and later go to "VPN > OpenVPN > Client Export", the new User (usuario2) not appear to export it:

login-to-view

This occur even if I marck the option "Enforce strict security parameters" when renew the User Certificate.

The other User that appears (soporte) is a User that I had created in pfSense before update to pfSense 2.5.0, and I can renew without problems, It not shows the problem of SHA2 when renew the Certificate and It appears in "VPN > OpenVPN > Client Export" to export it. In case It helps you.

What can be the problem now?

Best regards

jimp · Mar 18, 2021, 1:20 PM

I can't reproduce that here at all, but I'm also on RC snapshots (2.5.1 RC / 21.02.2 RC). Might be something we already fixed since the release.

If I make a user cert from the user manager with SHA256, it gets SHA256. It shows for export. Renewal doesn't flag anything as needing changed. After renewal, it still shows for export.

ramses.sevilla · Mar 19, 2021, 1:04 PM

@jimp hi,

I have update pfSense 2.4.5-p1 to pfSense 2.5.1RC and I have the same problem.

If I create the User Certificate (with SHA256):

login-to-view

When I create the new user from User Manager, if I renew the User Certificate, It shows:

login-to-view

And not appears in "VPN > OpenVPN > Client Export" to export.

If I renew a User that was already created in pfSense 2.4.5-p1, I haven't problem.

If I create a new User Certificate (SHA256) from Certificate Manager, when I renew the User Certificate, show that the certificate is SHA256 and I haven't problem. And If I edit the User that disappeared and associate this renewd certificate to the user, the User apppears again in "VPN > OpenVPN > Client Export" to export.

I don't undertand what happens...

Best regards

jimp · Mar 19, 2021, 2:47 PM

OK, that time I was able to reproduce it. It seems to be from creating the certificate while also creating the user, it doesn't happen when creating from the cert manager or when adding a new cert to an existing user.

Now that I can reproduce it I'll see if I can come up with a fix.

Thanks!

jimp · Mar 19, 2021, 2:58 PM

So there are two problems:

Creating the cert while creating the user doesn't respect the digest but it also doesn't set the type to 'user' properly: https://redmine.pfsense.org/issues/11705
When renewing, if the type is empty, it assumes server certificate, which is why it no longer is available in the export package: https://redmine.pfsense.org/issues/11706

We'll get fixes in for those soon.

jimp · Mar 19, 2021, 3:38 PM

Fixes are in for both now, will be in snapshots before too long (probably tomorrow or early next week, we have them disabled right now while some other work happens).

You can apply the relevant commits as patches in the meantime.

ramses.sevilla · Mar 22, 2021, 12:02 PM

@jimp Hi,

I have my test environment updated to pfSense 2.5.1.r.20210318.0300 version.

You told me that install these new patches to solve this new problems with the User Certificates.

#11705 : 937dbcc1f51e7cd73fc07890f5941cf718c0c176
#11706: 4af6e7f6d13dc82a9d62fbf57b00eddd7a6bf2f9

I have seen that there is pfSense 2.5.1.r.20210322.0300 new version.

Do you know if in this new version have included the patches what have you told me before?

Best regards

ramses.sevilla · Mar 22, 2021, 4:15 PM

@jimp Hi,

Well, I have updated my test environment to pfSense 2.5.1.r.20210322.0300 version and It seems that both patches have been added because I have tried create the User Certificate when I create new users from User Manager and to renew the User Certificate afterwards from Certificate Manager and It show me that the User Certificate is SHA256 and It doesn't disappear from "VPN > OpenVPN > Client Export" to export.

I'm going to keep doing tests.

Best regards