Certificate manager : CRL is not working
I am using pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011 embedded on a soekris box.
I would like to use openVPN capabilities with certificate manager.
1st problem : When I try to revoke a certificate with an other reason than "unspecified" I am having an 500 error an my certificate does not appear as revoked. If I use "unspecified" as a reason I am not having the 500 error.
But (2nd problem), the previously revoked certificate is marked as revoked :
| Currently Revoked Certificates for CRL: openvpnCRL |
| Certificate Name | Revocation Reason | Revoked At |
| XXX | Unspecified | Tue May 3 12:41:16 CEST 2011 |
When I tried to export the CRL, I am having an empty (0 bytes) file and I cannot connect to VPN. I have this error CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
When I connect with ssh to pfsense :
[2.0-RC1][root@pfsense]/var/etc/openvpn(12): cd /var/etc/openvpn
[2.0-RC1][root@pfsense]/var/etc/openvpn(13): ls -l
-rw–----- 1 root wheel 497 May 3 15:05 client2.conf
-rw------- 1 root wheel 618 May 3 15:05 client2.secret
-rw------- 1 root wheel 1266 May 4 11:20 server1.ca
-rw------- 1 root wheel 1316 May 4 11:20 server1.cert
-rw------- 1 root wheel 746 May 4 11:20 server1.conf
-rw------- 1 root wheel 0 May 4 11:20 server1.crl-verify
-rw------- 1 root wheel 902 May 4 11:20 server1.key
srwxrwxrwx 1 root wheel 0 May 4 11:20 server1.sock
The file is empty....
If I disable certificate revokation in openVPN configuration (Peer Certificate Revocation List to none) I do not have any problem to connect to VPN.
I found this topic : http://forum.pfsense.org/index.php/topic,29858.msg154651.html My problem seems resolved but It does not work for me.
I did not create certificates with certificate manager but I imported them from old system.
Am I missing something ?
Did you import the private key of your CA? You can't revoke certificates without the private key of the CA. I thought I had added code to check for that recently, you might want to update to a more recent snapshot.
I'll have to look at the code but it would be helpful to know exactly what you imported.
I imported the private key as well.
I tried to use auto update twice which did not work. I checked "Allow auto-update firmware images with a missing or invalid digital signature to be used" and then I invoked auto-upgrade. latest.gz was downloaded but the upgrade did not work here logs.
/etc/rc.firmware: /etc/rc.firmware_notify: not found fdisk: invalid fdisk partition table found bsdlabel: /dev/ad0s3: no valid label found firmware_update_misc_log.txt (END)
NanoBSD Firmware upgrade in progress... Installing /root/latest.tgz. SLICE 1 OLDSLICE 2 TOFLASH ad0s1 COMPLETE_PATH ad0s1a GLABEL_SLICE pfsense0 Tue May 3 14:52:21 CEST 2011 total 8 dr-xr-xr-x 8 root wheel 512B May 3 11:18 . drwxr-xr-x 24 root wheel 512B May 3 11:18 .. crw-r----- 1 root operator 0, 54 May 3 11:18 ad0 crw-r----- 1 root operator 0, 55 May 3 11:18 ad0s1 crw-r----- 1 root operator 0, 58 May 3 11:18 ad0s1a crw-r----- 1 root operator 0, 56 May 3 11:18 ad0s2 crw-r----- 1 root operator 0, 59 May 3 11:18 ad0s2a crw-r----- 1 root operator 0, 57 May 3 11:18 ad0s3 crw------- 1 root operator 0, 28 May 3 11:18 ata crw------- 1 root wheel 0, 11 May 3 11:18 bpf lrwxr-xr-x 1 root wheel 3B May 3 11:18 bpf0 -> bpf
Before upgrade fdisk/bsdlabel ******* Working on device /dev/ad0 ******* parameters extracted from in-core disklabel are: cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl) Figures below won't work with BIOS for partitions not in cyl 1 parameters to be used for BIOS calculations are: cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl) Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD) start 63, size 3861585 (1885 Meg), flag 0 beg: cyl 0/ head 1/ sector 1; end: cyl 758/ head 15/ sector 63 The data for partition 2 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD) start 3861711, size 3861585 (1885 Meg), flag 80 (active) beg: cyl 759/ head 1/ sector 1;
I can try a manual update but I don't think this will change something :-/. I installed a fresh pfsense maybe in April, 10 and I upgraded to the version I use (April 8 ). If I make a new fresh installation and upgrade to May 3, could I use the same config.xml file ?
Yes you could use the same config.xml file.
You could change between x86 and x64 and use the same config.xml file. thats really nice.
I didn't have a look at your post and opend a new one today. I have many problems with the CRL and OpenVPN, too. Perhaps you could help me or try with your configuration if the same problems occure !?
I reinstalled pfsense in a soekris box, I uploaded my config.xml and updated pfsense (2.0-RC1 (i386) built on Mon May 9 04:20:45 EDT 2011).
- I still have error 500 when I revoke a certificate when I don't choose "Unspecified" as a revokation reason.
- I still have a 0 bytes server1.crl-verify file and I added certificates to revoke.
- I still have a error when I try to connect to openVPN server because of the empty file.
Any idea ?
2 and 3 I am working on. I still can't reproduce 1 and have no idea where that could be coming from.
Thanks for working on it.
About 1, do you need extra logs or information ?
edit : I have this on system log when the error occurs "May 10 17:40:53 kernel: pid 50832 (php), uid 0: exited on signal 11 (core dumped)"
I don't think this will help….
That basically just means that php crashed when it tried to do that, which explains the 500 error.
There may be some character or input in the ca/cert that isn't valid.. not sure what it could be though. Is this a ca/cert you generated yourself, or an imported one?
That was a certificate we generated for an our old pfsense 1.2.0 which was working very well ;-)
I imported the CA/CA private key and every user certificate/user private key in the cert manager….
It may be something specific to that ca then somehow. No matter what I do, I haven't been able to replicate that crash, even when I import a ca.
I could make some test with an other CA to see if this come from this CA.
I updated to RC2 and I did some tests today. I imported an other CA (not the one I used before). I do not have the 500 error with this certificate and I do not have an empty crl.
About the other certificate (the one I had problems with), I delete old crl and created a new one. I still have the empty crl and 500 error.
Then I realize that the difference between those two is that the one I have problem with have an encrypted private key. I think that the source of my problem. I hope this can help you to reproduce…
Yeah, encrypted private keys are not supported and there are no plans to support them. It tries to use them as-is.
We have some code to try to detect them but if you could still import it, it is apparently still a little flawed.