OpenVPN + wrong CRL shown - revoking Certs doesn't work in all cases
-
So now you're saying that when you make a CRL and you revoke a cert, nobody can connect? Is the service even running? (Check Status > Services), Does the crl-verify file in /var/etc/openvpn/ for that instance have anything in it?
-
Hi,
1.) I didn't found time to test all scenarios but with snapshot May 7th there is an "edit" button for the CRL with no Certs in it. Great!
2.) After editing the config.xml and deleting the "empty" CRL, the blank entry in OpenVPN Server CRL pulldownmenu disapperead. Great!
Now I'm having another problem:
My CA is "HPA-CA". I created a new CRL called "MYCRL" and added this CRL to the OpenVPN Server config.
After doing this, the OpenVPN server is restarting and no unnormal entries in syslog or syslog openvpn.But after doing this, I cannot connect to this OpenVPN server. Not error log on pfsense and this is the only thing on Windows OpenVPN Client:
Sun May 08 23:00:41 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011 Sun May 08 23:00:41 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Sun May 08 23:00:41 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun May 08 23:00:41 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Sun May 08 23:00:41 2011 Control Channel Authentication: using 'pfsense1-UDP-1194-tls-RBS.key' as a OpenVPN static key file Sun May 08 23:00:41 2011 LZO compression initialized Sun May 08 23:00:41 2011 UDPv4 link local (bound): [undef]:1194 Sun May 08 23:00:41 2011 UDPv4 link remote: 11.12.13.14:1194
This is repeating every time the keepalive time is over.
If I delete the CRL "MYCRL" in the OpenVPN server config I can reconnect.Further:
Why does the OpenVPN Server config display two CRL: "HPA-CA" which isnt a list, just the name of my CA and then the correct CRL called "MYCRL" ?Thanks in advance!
-
Not sure why it wouldn't connect - it would help to know if you have any certificates revoked in that CRL, and either way it would help to know if /var/etc/openvpn/server<x>.crl-verify contained anything (where <x>is whatever this instance is).
As for that extra CRL entry, it may still be a side effect from hand editing your config, or something else that needs cleaned up.</x></x>
-
Hi,
like I said in my previous post:
I created a new CRL and a new Certificate. Then I revoked this certificate and then canceld the evoke - just to see, if the CRL is empty but with an edit button.
Now the CRL is empty - no revoked certificates in it.The server2.crl-verify file is empty.
–edit--
This are the only both blocks with <crl>in my config.xml:
<crl><refid>4d401a4cb674f</refid> <caref>4d4018ea7d5dd</caref> <serial>10000</serial> <lifetime>9999</lifetime> <text>xxXXxxXXxx</text></crl> <crl><refid>4dc7030fca8f5</refid> <caref>4d445bf7f2a0c</caref> <serial>9999</serial> <lifetime>9999</lifetime></crl> ```</crl>
-
That top one is probably from a CA you deleted before (note the caref doesn't match)
OpenVPN may not like a zero-byte crl. I'll have to poke at it some more.
-
I will try to do a complete fresh install of my pfsense to be sure to have no old code fragments in my config.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
-
Thanks jimp,
I hope I will find some time on weekend to test this.
-
I made more improvements to CRL handling today, hopefully OpenVPN will be happy now, there will never be a 0-byte CRL file anymore.
Good news jimp !
Does that mean we can update our pfsense ? -
It should be in snapshots by now.
-
Great I'll try it tomorow or next week and I'll tell you !
-
Hi,
I did a test today with the CRL but with no success. With the snapshot from today there isn't an empty server2.crl-verify anymore, but there is still the problem that I could not connect to an OpenVPN server when I added there a CRL.
I didn't findeany time to do a complete reinstallation of my pfsense so this could be perhaps the problem.
-
Hi jimp,
bad news :(
I did a complete fresh installation of pfsense and I am on 2.0-RC3 (amd64) built on Sun Jul 3 04:02:48 EDT 2011
I created a new CA, created 2 certs (server + client) and configured a new OpenVPN server. I just can connect if I do not select any CRL in the OpenVPN Server configuration.
I opened an other thread on friday because I didn't remember this thread. Perhaps this will help you a little bit to resolve this error.
http://forum.pfsense.org/index.php/topic,38466.0.htmlThanks for your help!
-
So if you revoke a certificate on the CRL, does it work? Does it still just not like an empty CRL? (Well, it's a valid CRL, just doesn't have any certificates revoked in it)
-
I know what you mean - and - you are right.
I created a new certificate and revoked it - so the CRL isn't empty anymore.
An now I can connect with an other certificate which isn't revoked. -
What if you then remove that certificate from the CRL so it's "empty" again?
-
What if you then remove that certificate from the CRL so it's "empty" again?
Sorry for my late reply.
I created a new OpenVPN server, server cert, two user certs. One for use and one for putting into the crl.
First try with the default empty CRL: FAILED
second try with a revoked cert in the CRL: WORKED
third try with cancelling the revocation and an empty CRL again: WORKED -
I have also tested with an empty CRL today, and the OpenVPN entity stopped. I have not tested with entries in CRL.
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.102.1 192.168.102.2 init
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Exiting
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 LZO compression initialized
Jul 13 16:27:15 openvpn[7903]: 192.168.123.68:1194 Re-using SSL/TLS context2.0-RC3 (i386)
built on Tue Jul 12 21:45:04 EDT 2011 -
Is the CRL file it mentions empty (zero bytes) when it fails, or does it have something in it?
-
Yes, it seems to be 0 byte:
-rw–----- 1 root wheel 0 Jul 13 16:27 server1.crl-verify
-rw------- 1 root wheel 0 Jul 13 09:04 server2.crl-verifyBR,
//Eskild