Certificate manager : CRL is not working

  • Hi,

    I am using pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011 embedded on a soekris box.
    I would like to use openVPN capabilities with certificate manager.

    1st problem :  When I try to revoke a certificate with an other reason than "unspecified" I am having an 500 error an my certificate does not appear as revoked. If I use "unspecified" as a reason I am not having the 500 error.

    But (2nd problem), the previously revoked certificate is marked as revoked :

    | Currently Revoked Certificates for CRL: openvpnCRL |
    | Certificate Name | Revocation Reason | Revoked At |
    | XXX | Unspecified | Tue May 3 12:41:16 CEST 2011 |

    When I tried to export the CRL, I am having an empty (0 bytes) file and I cannot connect to VPN. I have this error CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify

    When I connect with ssh to pfsense :

    [2.0-RC1][root@pfsense]/var/etc/openvpn(12): cd /var/etc/openvpn
    [2.0-RC1][root@pfsense]/var/etc/openvpn(13): ls -l
    total 12
    -rw–-----  1 root  wheel  497 May  3 15:05 client2.conf
    -rw-------  1 root  wheel  618 May  3 15:05 client2.secret
    -rw-------  1 root  wheel  1266 May  4 11:20 server1.ca
    -rw-------  1 root  wheel  1316 May  4 11:20 server1.cert
    -rw-------  1 root  wheel  746 May  4 11:20 server1.conf
    -rw-------  1 root  wheel    0 May  4 11:20 server1.crl-verify
    -rw-------  1 root  wheel  902 May  4 11:20 server1.key
    srwxrwxrwx  1 root  wheel    0 May  4 11:20 server1.sock

    The file is empty....

    If I disable certificate revokation in openVPN configuration (Peer Certificate Revocation List to none) I do not have any problem to connect to VPN.

    I found this topic : http://forum.pfsense.org/index.php/topic,29858.msg154651.html My problem seems resolved but It does not work for me.

    I did not create certificates with certificate manager but I imported them from old system.

    Am I missing something ?


  • Rebel Alliance Developer Netgate

    Did you import the private key of your CA? You can't revoke certificates without the private key of the CA. I thought I had added code to check for that recently, you might want to update to a more recent snapshot.

    I'll have to look at the code but it would be helpful to know exactly what you imported.

  • Hi Jimp,

    I imported the private key as well.
    I tried to use auto update twice which did not work. I checked "Allow auto-update firmware images with a missing or invalid digital signature to be used" and then I invoked auto-upgrade. latest.gz was downloaded but the upgrade did not work here logs.


    /etc/rc.firmware: /etc/rc.firmware_notify: not found
    fdisk: invalid fdisk partition table found
    bsdlabel: /dev/ad0s3: no valid label found
    firmware_update_misc_log.txt (END) 


    NanoBSD Firmware upgrade in progress...
    Installing /root/latest.tgz.
    SLICE         1
    OLDSLICE      2
    TOFLASH       ad0s1
    COMPLETE_PATH ad0s1a
    GLABEL_SLICE  pfsense0
    Tue May  3 14:52:21 CEST 2011
    total 8
    dr-xr-xr-x   8 root  wheel         512B May  3 11:18 .
    drwxr-xr-x  24 root  wheel         512B May  3 11:18 ..
    crw-r-----   1 root  operator    0,  54 May  3 11:18 ad0
    crw-r-----   1 root  operator    0,  55 May  3 11:18 ad0s1
    crw-r-----   1 root  operator    0,  58 May  3 11:18 ad0s1a
    crw-r-----   1 root  operator    0,  56 May  3 11:18 ad0s2
    crw-r-----   1 root  operator    0,  59 May  3 11:18 ad0s2a
    crw-r-----   1 root  operator    0,  57 May  3 11:18 ad0s3
    crw-------   1 root  operator    0,  28 May  3 11:18 ata
    crw-------   1 root  wheel       0,  11 May  3 11:18 bpf
    lrwxr-xr-x   1 root  wheel           3B May  3 11:18 bpf0 -> bpf


    Before upgrade fdisk/bsdlabel
    ******* Working on device /dev/ad0 *******
    parameters extracted from in-core disklabel are:
    cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl)
    Figures below won't work with BIOS for partitions not in cyl 1
    parameters to be used for BIOS calculations are:
    cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl)
    Media sector size is 512
    Warning: BIOS sector numbering starts with sector 1
    Information from DOS bootblock is:
    The data for partition 1 is:
    sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
        start 63, size 3861585 (1885 Meg), flag 0
            beg: cyl 0/ head 1/ sector 1;
            end: cyl 758/ head 15/ sector 63
    The data for partition 2 is:
    sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
        start 3861711, size 3861585 (1885 Meg), flag 80 (active)
            beg: cyl 759/ head 1/ sector 1;

    I can try a manual update but I don't think this will change something :-/. I installed a fresh pfsense maybe in April, 10 and I upgraded to the version I use (April 8 ). If I make a new fresh installation and upgrade to May 3, could I use the same config.xml file ?


  • Yes you could use the same config.xml file.
    You could change between x86 and x64 and use the same config.xml file. thats really nice.

    I didn't have a look at your post and opend a new one today. I have many problems with the CRL and OpenVPN, too. Perhaps you could help me or try with your configuration if the same problems occure !?

  • Hi jimp,

    I reinstalled pfsense in a soekris box, I uploaded my config.xml and updated pfsense (2.0-RC1 (i386) built on Mon May 9 04:20:45 EDT 2011).

    1. I still have error 500 when I revoke a certificate when I don't choose "Unspecified" as a revokation reason.
    2. I still have a 0 bytes server1.crl-verify file and I added certificates to revoke.
    3. I still have a error when I try to connect to openVPN server because of the empty file.

    Any idea ?


  • Rebel Alliance Developer Netgate

    2 and 3 I am working on. I still can't reproduce 1 and have no idea where that could be coming from.

  • Thanks for working on it.

    About 1, do you need extra logs or information ?

    edit : I have this on system log when the error occurs "May 10 17:40:53 kernel: pid 50832 (php), uid 0: exited on signal 11 (core dumped)"
    I don't think this will help….


  • Rebel Alliance Developer Netgate

    That basically just means that php crashed when it tried to do that, which explains the 500 error.

    There may be some character or input in the ca/cert that isn't valid.. not sure what it could be though. Is this a ca/cert you generated yourself, or an imported one?

  • Hi jimp,

    That was a certificate we generated for an our old pfsense 1.2.0 which was working very well ;-)
    I imported the CA/CA private key and every user certificate/user private key in the cert manager….


  • Rebel Alliance Developer Netgate

    It may be something specific to that ca then somehow. No matter what I do, I haven't been able to replicate that crash, even when I import a ca.

  • I could make some test with an other CA to see if this come from this CA.

  • Hi Jimp,

    I updated to RC2 and I did some tests today. I imported an other CA (not the one I used before). I do not have the 500 error with this certificate and I do not have an empty crl.

    About the other certificate (the one I had problems with), I delete old crl and created a new one. I still have the empty crl and 500 error.
    Then I realize that the difference between those two is that the one I have problem with have an encrypted private key. I think that the source of my problem. I hope this can help you to reproduce…

  • Rebel Alliance Developer Netgate

    Yeah, encrypted private keys are not supported and there are no plans to support them. It tries to use them as-is.

    We have some code to try to detect them but if you could still import it, it is apparently still a little flawed.

Log in to reply