Certificate manager : CRL is not working
-
Hi,
I am using pfsense 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011 embedded on a soekris box.
I would like to use openVPN capabilities with certificate manager.1st problem : When I try to revoke a certificate with an other reason than "unspecified" I am having an 500 error an my certificate does not appear as revoked. If I use "unspecified" as a reason I am not having the 500 error.
But (2nd problem), the previously revoked certificate is marked as revoked :
| Currently Revoked Certificates for CRL: openvpnCRL |
| Certificate Name | Revocation Reason | Revoked At |
| XXX | Unspecified | Tue May 3 12:41:16 CEST 2011 |When I tried to export the CRL, I am having an empty (0 bytes) file and I cannot connect to VPN. I have this error CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
When I connect with ssh to pfsense :
[2.0-RC1][root@pfsense]/var/etc/openvpn(12): cd /var/etc/openvpn
[2.0-RC1][root@pfsense]/var/etc/openvpn(13): ls -l
total 12
-rw–----- 1 root wheel 497 May 3 15:05 client2.conf
-rw------- 1 root wheel 618 May 3 15:05 client2.secret
-rw------- 1 root wheel 1266 May 4 11:20 server1.ca
-rw------- 1 root wheel 1316 May 4 11:20 server1.cert
-rw------- 1 root wheel 746 May 4 11:20 server1.conf
-rw------- 1 root wheel 0 May 4 11:20 server1.crl-verify
-rw------- 1 root wheel 902 May 4 11:20 server1.key
srwxrwxrwx 1 root wheel 0 May 4 11:20 server1.sockThe file is empty....
If I disable certificate revokation in openVPN configuration (Peer Certificate Revocation List to none) I do not have any problem to connect to VPN.
I found this topic : http://forum.pfsense.org/index.php/topic,29858.msg154651.html My problem seems resolved but It does not work for me.
I did not create certificates with certificate manager but I imported them from old system.
Am I missing something ?
Elodie
-
Did you import the private key of your CA? You can't revoke certificates without the private key of the CA. I thought I had added code to check for that recently, you might want to update to a more recent snapshot.
I'll have to look at the code but it would be helpful to know exactly what you imported.
-
Hi Jimp,
I imported the private key as well.
I tried to use auto update twice which did not work. I checked "Allow auto-update firmware images with a missing or invalid digital signature to be used" and then I invoked auto-upgrade. latest.gz was downloaded but the upgrade did not work here logs.firmware_update_misc_log.txt
/etc/rc.firmware: /etc/rc.firmware_notify: not found fdisk: invalid fdisk partition table found bsdlabel: /dev/ad0s3: no valid label found firmware_update_misc_log.txt (END)
upgrade_log.txt
NanoBSD Firmware upgrade in progress... Installing /root/latest.tgz. SLICE 1 OLDSLICE 2 TOFLASH ad0s1 COMPLETE_PATH ad0s1a GLABEL_SLICE pfsense0 Tue May 3 14:52:21 CEST 2011 total 8 dr-xr-xr-x 8 root wheel 512B May 3 11:18 . drwxr-xr-x 24 root wheel 512B May 3 11:18 .. crw-r----- 1 root operator 0, 54 May 3 11:18 ad0 crw-r----- 1 root operator 0, 55 May 3 11:18 ad0s1 crw-r----- 1 root operator 0, 58 May 3 11:18 ad0s1a crw-r----- 1 root operator 0, 56 May 3 11:18 ad0s2 crw-r----- 1 root operator 0, 59 May 3 11:18 ad0s2a crw-r----- 1 root operator 0, 57 May 3 11:18 ad0s3 crw------- 1 root operator 0, 28 May 3 11:18 ata crw------- 1 root wheel 0, 11 May 3 11:18 bpf lrwxr-xr-x 1 root wheel 3B May 3 11:18 bpf0 -> bpf
fdisk_upgrade_log.txt
Before upgrade fdisk/bsdlabel ******* Working on device /dev/ad0 ******* parameters extracted from in-core disklabel are: cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl) Figures below won't work with BIOS for partitions not in cyl 1 parameters to be used for BIOS calculations are: cylinders=15490 heads=16 sectors/track=63 (1008 blks/cyl) Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD) start 63, size 3861585 (1885 Meg), flag 0 beg: cyl 0/ head 1/ sector 1; end: cyl 758/ head 15/ sector 63 The data for partition 2 is: sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD) start 3861711, size 3861585 (1885 Meg), flag 80 (active) beg: cyl 759/ head 1/ sector 1;
I can try a manual update but I don't think this will change something :-/. I installed a fresh pfsense maybe in April, 10 and I upgraded to the version I use (April 8 ). If I make a new fresh installation and upgrade to May 3, could I use the same config.xml file ?
Elodie
-
Yes you could use the same config.xml file.
You could change between x86 and x64 and use the same config.xml file. thats really nice.I didn't have a look at your post and opend a new one today. I have many problems with the CRL and OpenVPN, too. Perhaps you could help me or try with your configuration if the same problems occure !?
http://forum.pfsense.org/index.php/topic,36414.0.html -
Hi jimp,
I reinstalled pfsense in a soekris box, I uploaded my config.xml and updated pfsense (2.0-RC1 (i386) built on Mon May 9 04:20:45 EDT 2011).
- I still have error 500 when I revoke a certificate when I don't choose "Unspecified" as a revokation reason.
- I still have a 0 bytes server1.crl-verify file and I added certificates to revoke.
- I still have a error when I try to connect to openVPN server because of the empty file.
Any idea ?
Elodie
-
2 and 3 I am working on. I still can't reproduce 1 and have no idea where that could be coming from.
-
Thanks for working on it.
About 1, do you need extra logs or information ?
edit : I have this on system log when the error occurs "May 10 17:40:53 kernel: pid 50832 (php), uid 0: exited on signal 11 (core dumped)"
I don't think this will help….Elodie
-
That basically just means that php crashed when it tried to do that, which explains the 500 error.
There may be some character or input in the ca/cert that isn't valid.. not sure what it could be though. Is this a ca/cert you generated yourself, or an imported one?
-
Hi jimp,
That was a certificate we generated for an our old pfsense 1.2.0 which was working very well ;-)
I imported the CA/CA private key and every user certificate/user private key in the cert manager….Elodie
-
It may be something specific to that ca then somehow. No matter what I do, I haven't been able to replicate that crash, even when I import a ca.
-
I could make some test with an other CA to see if this come from this CA.
-
Hi Jimp,
I updated to RC2 and I did some tests today. I imported an other CA (not the one I used before). I do not have the 500 error with this certificate and I do not have an empty crl.
About the other certificate (the one I had problems with), I delete old crl and created a new one. I still have the empty crl and 500 error.
Then I realize that the difference between those two is that the one I have problem with have an encrypted private key. I think that the source of my problem. I hope this can help you to reproduce… -
Yeah, encrypted private keys are not supported and there are no plans to support them. It tries to use them as-is.
We have some code to try to detect them but if you could still import it, it is apparently still a little flawed.