No way to revoke certs?



  • Hi,

    I have searched and found a little bit of talk about revoking certs but the tool referenced "revoke-full" doesn't seem to be anywhere on the pfsense install.

    Am I looking in the wrong place?  Or is there another way to revoke certs?

    Cheers

    P1



  • You would revoke the certs on the same host you created them.  Did you create them on your pfSense host?



  • Yes, created using easyrsa4pfsense on the firewall itself.

    EDIT:

    This is a fresh install of 1.2 with the easyrsa4pfsense scripts from the sticky - no other packages or add-ons installed.



  • I'm in the same boat as you. Our keys were created with the easyrsa4pfsense package which is lacking in revocation capabilities.

    I grabbed http://openvpn.net/release/openvpn-2.0.9.tar.gz and tried installing both copies of revoke-full (one is in the 2.0 directory). Regardless, they both fail at:

    
    Using configuration from /root/easyrsa4pfsense/openssl.cnf
    error on line 145 of config file '/root/easyrsa4pfsense/openssl.cnf'
    37670:error:0E065068:configuration file routines:STR_COPY:variable has no 
    value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 145
    
    

    I'll continue banging away at this, but it's starting to look like I'm going to have to just blow away a few dozen keys and re-create them all from scratch :(



  • Well, I think I've hit a stopper. Here's what I worked through:

    1. Line 145 problem is that the environmental variable KEY_OU is missing. I resolved this by adding the following to the end of the "vars" file and re-sourcing it:
    setenv KEY_OU "$KEY_ORG"
    
    1. Line 148 problem is that the environment variable KEY_CN is missing. I statically defined this at the end of the 'vars' file for testing, since there isn't a similar variable already present that I can find. This gets me past this point.

    2. Line 282 problem is that the environmental variable PKCS11_MODULE_PATH is missing. I resolved this by adding the following to the end of the "vars" file and re-sourcing it:

    setenv PKCS11_MODULE_PATH "$PKCS11TOOL"
    
    1. Final stopper problem is ONE FREAKING LINE from the end of openssl.cnf :(
    Using configuration from /root/easyrsa4pfsense/openssl.cnf
    error on line 283 of config file '/root/easyrsa4pfsense/openssl.cnf'
    38897:error:0E065068:configuration file routines:STR_COPY:variable has no 
    value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 283
    
    

    That offending line is:

    PIN = $ENV::PKCS11_PIN
    

    I can't tell what this variable is used for, nor what I should populate it with. I have a feeling if I can get beyond this, I'll have the problem solved.



  • Actually, it would appear that variable may be wholly unimportant. From http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0/pkitool I see:

    must be set or errors of openssl.cnf

    PKCS11_MODULE_PATH="dummy"
    PKCS11_PIN="dummy"

    So I defined that value, and ran the script (also changing the /bin/bash to /bin/sh at the top). This produces the CRL I'm looking for :)

    HOWEVER

    There seems to be a bug in the implementation of OpenVPN. I have seen this one other time, while making some adjustments to the configuration. The OpenVPN process has been shut down, but the port it was bound was not:

    ps auxwww | grep openvpn

    root  40138  0.0  0.1  348  232  p0  L+  12:56PM  0:00.00 grep openvpn

    netstat -an | grep 1194

    udp4    7106      0  *.1194                .

    AFAIK, the only resolution for this is to reboot the whole pfsense device. I've got a lot of users behind it now, so I won't be able to test out the effects of revocation until later.

    Note that the /root/easyrsa4pfsense/keys/crl.pem contents have to be pasted into the web gui configuration for OpenVPN.

    Here's the final copy of revoke-full, for those who don't want to bother getting it from the tgz archive.

    http://www.rockynet.com/patches/revoke-full.txt



  • So, the final changes I see being necessary to /root/easyrsa4pfsense/vars file are:

    setenv KEY_OU "$KEY_ORG"
    setenv KEY_CN "you.fqdn.com"
    setenv PKCS11_MODULE_PATH "$PKCS11TOOL"
    setenv PKCS11_PIN "dummy"

    Set KEY_CN to whatever your ca key FQDN is. E.g. openvpn.mydomain.com



  • After a reboot, I tested out the CRL and confirmed that it fails to connect a client with a revoked certificate. The log entries look like:

    openvpn[417]: 192.168.1.2:3050 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

    But other clients still connect successfully.

    There is one small nagging detail that has me a little concerned, and that's the definition of KEY_CN in the vars file. I should probably generate a new client key and make sure that (or other vars) don't muck anything up.



  • What I've learned to do when I have to tinker with the OpenVPN settings is I first disable the tunnel from the config page by checking the disabled option, save settings, change the setting I'm about to change, save settings and finally enable the tunnel again by unchecking the disabled option and save.

    Hope this helps.



  • I'll test this now with creating and revoking certs and see how I go.

    Good to see I wasn't insane and others couldn't revoke as well!

    • Update

    Creating certs works ok, you can't do a ./pkitool on its own now to get the usage message because the CN is now defined in the vars (so it generates a passwordless cert called whatever you set that variable to) but if you define your own CN on the command line it overrides vars.

    After playing around it seems to revoke the certs but not actually use the CRL?  I tried a few different things stop start service manually add the crl to the config page etc… but cant do a system restart at the moment.

    What needs to be done to get them to actually be revoked on login?  At the moment they just time out after seemingly verifying ok.  Logs also dont mention revoke.

    Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed
    Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error
    Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 Re-using SSL/TLS context
    Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed
    Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error
    Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jul 11 12:14:13 openvpn[90005]: xxxxxxxxxxxx:1194 Re-using SSL/TLS context


Log in to reply