Openvpn on pfsense treats valid certificates as REVOKED

  • Hi all, I have a problem with crl.
    all ssl stuff was imported from linux server which has to be replaced by pfsense (but I need preserve all certificates as is).
    Certificates are up to date, and working without crl check.
    But when I try to implement this useful feature - I get next error:

    TLS: Initial packet from, sid=5342fd0e 65634748
    CRL CHECK FAILED: /C=NZ/ST=Area/L=City/O=My_Conpany/CN=OpenVPN_CA/ is REVOKED
    TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    TLS Error: TLS object -> incoming plaintext read error
    TLS Error: TLS handshake failed
    Fatal TLS error (check_tls_errors_co), restarting
    SIGUSR1[soft,tls-error] received, client-instance restarting
    TCP/UDP: Closing socket

    Could anybody point me on what I'm doing wrong here?
    Many thanks in advance

    openvpn –version

    OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov  9 2008
    Developed by James Yonan
    Copyright (C) 2002-2005 OpenVPN Solutions LLC openssl crl -in crl.pem  -text -noout
    Certificate Revocation List (CRL):
            Version 1 (0x0)
            Signature Algorithm: md5WithRSAEncryption
            Issuer: /C=NZ/ST=Area/L=City/O=My Conpany/CN=OpenVPN CA/
            Last Update: Sep 21 02:59:33 2009 GMT
            Next Update: Oct 21 02:59:33 2009 GMT
    Revoked Certificates:
        Serial Number: 00
            Revocation Date: Jul  9 03:42:27 2009 GMT
        Serial Number: 01
            Revocation Date: Jul  9 03:45:03 2009 GMT
        Serial Number: 02
            Revocation Date: Jul  9 03:44:20 2009 GMT
        Serial Number: 03
            Revocation Date: Jul  9 03:46:00 2009 GMT
        Serial Number: 05
            Revocation Date: Jul 16 05:13:08 2009 GMT
        Serial Number: 06
            Revocation Date: Jul 16 04:36:29 2009 GMT
        Signature Algorithm: md5WithRSAEncryption

    (test certificate - taphy.crt -  has Serial Number 07 - not in crl at all)

    crl test from command line is ok:

    cat  openvpn_server0.crl > test-crl.pem

    openssl verify -CAfile test-crl.pem  -crl_check taphy.crt

    taphy.crt: OK/

  • Hi again,
    it is actually my imported from linux ca.crt reported as revoked.. Is it possible  add this one as trusted or renew somehow?

  • solved, :) I had to be more attentive to my index.txt and ca.crt content..

    my old ca.crt has serial 00 (not sure why - historical) and .. of course it was treated as revoked by crl as far as there was client certificate with the same serial number, wich was revoked ages ago and ..there were no any crl checks (historical again)
    unfortunatelly I have just two ways.. rebuild all certificates or make client certificate with serial 00 valid ( first is better )

Log in to reply