Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No way to revoke certs?

    Scheduled Pinned Locked Moved
    OpenVPN
    4
    10
    9.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      playerone
      last edited by

      Hi,

      I have searched and found a little bit of talk about revoking certs but the tool referenced "revoke-full" doesn't seem to be anywhere on the pfsense install.

      Am I looking in the wrong place?  Or is there another way to revoke certs?

      Cheers

      P1

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        You would revoke the certs on the same host you created them.  Did you create them on your pfSense host?

        1 Reply Last reply Reply Quote 0
        • P
          playerone
          last edited by

          Yes, created using easyrsa4pfsense on the firewall itself.

          EDIT:

          This is a fresh install of 1.2 with the easyrsa4pfsense scripts from the sticky - no other packages or add-ons installed.

          1 Reply Last reply Reply Quote 0
          • O
            Oroboros
            last edited by

            I'm in the same boat as you. Our keys were created with the easyrsa4pfsense package which is lacking in revocation capabilities.

            I grabbed http://openvpn.net/release/openvpn-2.0.9.tar.gz and tried installing both copies of revoke-full (one is in the 2.0 directory). Regardless, they both fail at:

            
Using configuration from /root/easyrsa4pfsense/openssl.cnf
error on line 145 of config file '/root/easyrsa4pfsense/openssl.cnf'
37670:error:0E065068:configuration file routines:STR_COPY:variable has no 
value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 145

            I'll continue banging away at this, but it's starting to look like I'm going to have to just blow away a few dozen keys and re-create them all from scratch :(

            1 Reply Last reply Reply Quote 0
            • O
              Oroboros
              last edited by

              Well, I think I've hit a stopper. Here's what I worked through:

              1. Line 145 problem is that the environmental variable KEY_OU is missing. I resolved this by adding the following to the end of the "vars" file and re-sourcing it:
              setenv KEY_OU "$KEY_ORG"

              1. Line 148 problem is that the environment variable KEY_CN is missing. I statically defined this at the end of the 'vars' file for testing, since there isn't a similar variable already present that I can find. This gets me past this point.

              2. Line 282 problem is that the environmental variable PKCS11_MODULE_PATH is missing. I resolved this by adding the following to the end of the "vars" file and re-sourcing it:

              setenv PKCS11_MODULE_PATH "$PKCS11TOOL"
              1. Final stopper problem is ONE FREAKING LINE from the end of openssl.cnf :(
              Using configuration from /root/easyrsa4pfsense/openssl.cnf
error on line 283 of config file '/root/easyrsa4pfsense/openssl.cnf'
38897:error:0E065068:configuration file routines:STR_COPY:variable has no 
value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:629:line 283

              That offending line is:

              PIN = $ENV::PKCS11_PIN

              I can't tell what this variable is used for, nor what I should populate it with. I have a feeling if I can get beyond this, I'll have the problem solved.

              1 Reply Last reply Reply Quote 0
              • O
                Oroboros
                last edited by

                Actually, it would appear that variable may be wholly unimportant. From http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0/pkitool I see:

                must be set or errors of openssl.cnf

                PKCS11_MODULE_PATH="dummy"
                PKCS11_PIN="dummy"

                So I defined that value, and ran the script (also changing the /bin/bash to /bin/sh at the top). This produces the CRL I'm looking for :)

                HOWEVER

                There seems to be a bug in the implementation of OpenVPN. I have seen this one other time, while making some adjustments to the configuration. The OpenVPN process has been shut down, but the port it was bound was not:

                ps auxwww | grep openvpn

                root  40138  0.0  0.1  348  232  p0  L+  12:56PM  0:00.00 grep openvpn

                netstat -an | grep 1194

                udp4    7106      0  *.1194                .

                AFAIK, the only resolution for this is to reboot the whole pfsense device. I've got a lot of users behind it now, so I won't be able to test out the effects of revocation until later.

                Note that the /root/easyrsa4pfsense/keys/crl.pem contents have to be pasted into the web gui configuration for OpenVPN.

                Here's the final copy of revoke-full, for those who don't want to bother getting it from the tgz archive.

                http://www.rockynet.com/patches/revoke-full.txt

                1 Reply Last reply Reply Quote 0
                • O
                  Oroboros
                  last edited by

                  So, the final changes I see being necessary to /root/easyrsa4pfsense/vars file are:

                  setenv KEY_OU "$KEY_ORG"
                  setenv KEY_CN "you.fqdn.com"
                  setenv PKCS11_MODULE_PATH "$PKCS11TOOL"
                  setenv PKCS11_PIN "dummy"

                  Set KEY_CN to whatever your ca key FQDN is. E.g. openvpn.mydomain.com

                  1 Reply Last reply Reply Quote 0
                  • O
                    Oroboros
                    last edited by

                    After a reboot, I tested out the CRL and confirmed that it fails to connect a client with a revoked certificate. The log entries look like:

                    openvpn[417]: 192.168.1.2:3050 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

                    But other clients still connect successfully.

                    There is one small nagging detail that has me a little concerned, and that's the definition of KEY_CN in the vars file. I should probably generate a new client key and make sure that (or other vars) don't muck anything up.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      What I've learned to do when I have to tinker with the OpenVPN settings is I first disable the tunnel from the config page by checking the disabled option, save settings, change the setting I'm about to change, save settings and finally enable the tunnel again by unchecking the disabled option and save.

                      Hope this helps.

                      1 Reply Last reply Reply Quote 0
                      • P
                        playerone
                        last edited by

                        I'll test this now with creating and revoking certs and see how I go.

                        Good to see I wasn't insane and others couldn't revoke as well!

                        • Update

                        Creating certs works ok, you can't do a ./pkitool on its own now to get the usage message because the CN is now defined in the vars (so it generates a passwordless cert called whatever you set that variable to) but if you define your own CN on the command line it overrides vars.

                        After playing around it seems to revoke the certs but not actually use the CRL?  I tried a few different things stop start service manually add the crl to the config page etc… but cant do a system restart at the moment.

                        What needs to be done to get them to actually be revoked on login?  At the moment they just time out after seemingly verifying ok.  Logs also dont mention revoke.

                        Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed
                        Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error
                        Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                        Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 Re-using SSL/TLS context
                        Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed
                        Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error
                        Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                        Jul 11 12:14:13 openvpn[90005]: xxxxxxxxxxxx:1194 Re-using SSL/TLS context

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.