Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Revoking user SSL certificate blocks all other users

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mpdmlnz
      last edited by

      Hi all

      Running 2.2.5-RELEASE on amd64.

      We have OpenVPN running in Remote Access (SSL/TLS) mode, and this morning I made the unwanted discovery that I cannot revoke a user certificate without locking out all other users.
      Certificates are issued off a stand-alone CA server for the sake of expedience (50+ users), with the CA cert and key installed on the firewall. A user left so I tried importing his certificate into pfSense in order to revoke it. The revocation appeared to be fine, but other users can no longer connect. If I back out the revocation all works again.

      In the logs I see:

      Jan 26 14:30:48 my.firewall openvpn[20657]: TCP connection established with [AF_INET]1.2.3.4:40731
      Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 Fatal TLS error (check_tls_errors_co), restarting
      Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 TLS Error: TLS handshake failed
      Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 TLS Error: TLS object -> incoming plaintext read error
      Jan 26 14:30:43 my.firewall openvpn[20657]: 1.2.3.4:45902 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Jan 26 14:30:40 my.firewall openvpn[20657]: TCP connection established with [AF_INET]1.2.3.4:45902

      I have seen https://forum.pfsense.org/index.php?topic=36414.0, which looks similar but involved a zero-length CRL file and that is not happening here.
      I've tried importing other user certificates (because there are so many we don't store them on the firewall) to see if that fixes it, but still no. I've also tried creating the CRL on the CA host and importing it as a new CRL for the VPN but that still fails to change the outcome; and, again, backing out the revocation immediately restores service.

      We don't have TLS packet authentication enabled, but that's the only thing I can see in the server config that might have any kind of bearing on what I'm seeing.

      Have I missed something really obvious?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        How exactly did you create your certificates?

        If you generated them all with the same serial number, that would explain why revoking one blocks them all. CRLs work by certificate serial, and if your certificate generation script or system did not give each certificate a unique serial number, then they all will be revoked if you revoke one of them.

        Look at the full cert details from a few of your certs and compare the serials.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.