No way to revoke certs?
I have searched and found a little bit of talk about revoking certs but the tool referenced "revoke-full" doesn't seem to be anywhere on the pfsense install.
Am I looking in the wrong place? Or is there another way to revoke certs?
Cry Havok last edited by
You would revoke the certs on the same host you created them. Did you create them on your pfSense host?
Yes, created using easyrsa4pfsense on the firewall itself.
This is a fresh install of 1.2 with the easyrsa4pfsense scripts from the sticky - no other packages or add-ons installed.
I'm in the same boat as you. Our keys were created with the easyrsa4pfsense package which is lacking in revocation capabilities.
I grabbed http://openvpn.net/release/openvpn-2.0.9.tar.gz and tried installing both copies of revoke-full (one is in the 2.0 directory). Regardless, they both fail at:
Using configuration from /root/easyrsa4pfsense/openssl.cnf error on line 145 of config file '/root/easyrsa4pfsense/openssl.cnf' 37670:error:0E065068:configuration file routines:STR_COPY:variable has no value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 145
I'll continue banging away at this, but it's starting to look like I'm going to have to just blow away a few dozen keys and re-create them all from scratch :(
Well, I think I've hit a stopper. Here's what I worked through:
- Line 145 problem is that the environmental variable KEY_OU is missing. I resolved this by adding the following to the end of the "vars" file and re-sourcing it:
setenv KEY_OU "$KEY_ORG"
Line 148 problem is that the environment variable KEY_CN is missing. I statically defined this at the end of the 'vars' file for testing, since there isn't a similar variable already present that I can find. This gets me past this point.
Line 282 problem is that the environmental variable PKCS11_MODULE_PATH is missing. I resolved this by adding the following to the end of the "vars" file and re-sourcing it:
setenv PKCS11_MODULE_PATH "$PKCS11TOOL"
- Final stopper problem is ONE FREAKING LINE from the end of openssl.cnf :(
Using configuration from /root/easyrsa4pfsense/openssl.cnf error on line 283 of config file '/root/easyrsa4pfsense/openssl.cnf' 38897:error:0E065068:configuration file routines:STR_COPY:variable has no value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 283
That offending line is:
PIN = $ENV::PKCS11_PIN
I can't tell what this variable is used for, nor what I should populate it with. I have a feeling if I can get beyond this, I'll have the problem solved.
Actually, it would appear that variable may be wholly unimportant. From http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0/pkitool I see:
So I defined that value, and ran the script (also changing the /bin/bash to /bin/sh at the top). This produces the CRL I'm looking for :)
There seems to be a bug in the implementation of OpenVPN. I have seen this one other time, while making some adjustments to the configuration. The OpenVPN process has been shut down, but the port it was bound was not:
root 40138 0.0 0.1 348 232 p0 L+ 12:56PM 0:00.00 grep openvpn
udp4 7106 0 *.1194 .
AFAIK, the only resolution for this is to reboot the whole pfsense device. I've got a lot of users behind it now, so I won't be able to test out the effects of revocation until later.
Note that the /root/easyrsa4pfsense/keys/crl.pem contents have to be pasted into the web gui configuration for OpenVPN.
Here's the final copy of revoke-full, for those who don't want to bother getting it from the tgz archive.
So, the final changes I see being necessary to /root/easyrsa4pfsense/vars file are:
setenv KEY_OU "$KEY_ORG"
setenv KEY_CN "you.fqdn.com"
setenv PKCS11_MODULE_PATH "$PKCS11TOOL"
setenv PKCS11_PIN "dummy"
Set KEY_CN to whatever your ca key FQDN is. E.g. openvpn.mydomain.com
After a reboot, I tested out the CRL and confirmed that it fails to connect a client with a revoked certificate. The log entries look like:
openvpn: 192.168.1.2:3050 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
But other clients still connect successfully.
There is one small nagging detail that has me a little concerned, and that's the definition of KEY_CN in the vars file. I should probably generate a new client key and make sure that (or other vars) don't muck anything up.
What I've learned to do when I have to tinker with the OpenVPN settings is I first disable the tunnel from the config page by checking the disabled option, save settings, change the setting I'm about to change, save settings and finally enable the tunnel again by unchecking the disabled option and save.
Hope this helps.
I'll test this now with creating and revoking certs and see how I go.
Good to see I wasn't insane and others couldn't revoke as well!
Creating certs works ok, you can't do a ./pkitool on its own now to get the usage message because the CN is now defined in the vars (so it generates a passwordless cert called whatever you set that variable to) but if you define your own CN on the command line it overrides vars.
After playing around it seems to revoke the certs but not actually use the CRL? I tried a few different things stop start service manually add the crl to the config page etc… but cant do a system restart at the moment.
What needs to be done to get them to actually be revoked on login? At the moment they just time out after seemingly verifying ok. Logs also dont mention revoke.
Jul 11 12:15:15 openvpn: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed
Jul 11 12:15:15 openvpn: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error
Jul 11 12:15:15 openvpn: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 11 12:15:15 openvpn: xxxxxxxxxxxx:1194 Re-using SSL/TLS context
Jul 11 12:14:16 openvpn: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed
Jul 11 12:14:16 openvpn: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error
Jul 11 12:14:16 openvpn: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 11 12:14:13 openvpn: xxxxxxxxxxxx:1194 Re-using SSL/TLS context