Using the OpenVPN Server with the Peer Certificate Revocation List option, the following error is shown in the Log file and no client can authenticate:
'CRL: cannot read CRL from file /var/etc/openvpn/server1.crl-verify'
If I deactivate the CRL-Option in the server settings by setting it to 'none', Clients can connect again without problems.
Hi,
Can you try
# opnsense-patch 2918f0e24
And see if this fixes it for you?
Edit: I should you mention you need to regenerate the relevant CRL in order for this change to be picked up.
Cheers,
Stephan
Posting patch link here for reference: https://github.com/opnsense/core/commit/2918f0e24
Thank you for your reply, I tried the patch and regenerated the CRL but no luck.
The error is still the same.
Edit:
Additional there is a new error shown in the Log:
'OpenSSL: error:0909006C:PEM routines:get_name:no start line'
If you open the CRL file, is there anything malformed in there such as stray newlines, carriage returns, missing dashes etc.? At least the OpenSSL error sees to hint at that.
The system generated the 'server1.crl-verify' file as a zero-byte file.
I don't have any revoked certificates at the moment, so I expected an empty file as well.
Should the file contain data, even without revoked certificates?
Yes, it should and that's why it fails. Can you try adding a certificate for testing purposes? (It can be removed again with no harm to the CRL.)
Cheers,
Franco
I tried but couldn't produce an empty file with an empty revocation list. It properly generates a CRL file as it should.
Cheers,
Franco
the only way i can reproduce "OpenSSL: error:0909006C" with zero-size .crl-verify is creating Revocation for External CA (without priv key) and adding it as a "Peer Certificate Revocation List" in openvpn server config
(it might be worth taking this into account (creating (not importing) a Revocation list for CA without the private key) when validating?)
Weird bevavior - if I revoke a certificate via GUI the timestap of the file changes to the current date and time but the file itself remains empty.
The content of the '/var/etc/openvpn' directory is shown as follows:
-rw------- 1 root wheel 956B Aug 6 10:35 server1.ca
-rw------- 1 root wheel 1.2K Aug 6 10:35 server1.cert
-rw------- 1 root wheel 1.3K Aug 6 10:35 server1.conf
-rw------- 1 root wheel 0B Aug 6 10:35 server1.crl-verify
-rw------- 1 root wheel 227B Aug 6 10:35 server1.key
srwxrwxrwx 1 root wheel 0B Aug 6 10:35 server1.sock
-rw------- 1 root wheel 636B Aug 6 10:35 server1.tls-auth
I can do whatever I want, the only thing that changes regarding the 'server1.crl-verify' file is the timestamp. :o
Is the CA for this list internal or external (is the private key of this authority specified)?
The CA is internal with a self-signed certificate and the certificate private key exists in the CA properties.
For testing purposes I created a completely new CA with a corresponding CRL.
Using the new setup, the behavior is still the same - the system creates a zero-byte '.crl-verify' file.
thanks!
i think validateSignature() can return mixed value and should be checked differently
https://github.com/opnsense/core/blob/edcc29ab5cdc5c6e8ea9a656a13ffdfb1ec67db7/src/etc/inc/certs.inc#L638
i'll try to check.. <- my mistake
@coolmint
QuoteUsing the new setup, the behavior is still the same - the system creates a zero-byte '.crl-verify' file.
any chance that you forgot to change "Peer Certificate Revocation List" in openvpn server config? )
if you are willing to help sort out the reasons, can you try again (create a CRL and add a certificate to it) after:
opnsense-patch -a kulikov-a 91e13ae ?
any errors adding cert to CRL? is CRL valid if you download via GUI? any errors in General log?
Quote from: Fright on August 07, 2022, 09:30:08 AM
@coolmint
QuoteUsing the new setup, the behavior is still the same - the system creates a zero-byte '.crl-verify' file.
any chance that you forgot to change "Peer Certificate Revocation List" in openvpn server config? )
That would have been nice, but no - I changed both, the new Peer Certificate Authority and the Peer Certificate Revocation List in the VPN server configuration before testing.
Quote from: Fright on August 07, 2022, 09:30:08 AM
if you are willing to help sort out the reasons, can you try again (create a CRL and add a certificate to it) after:
opnsense-patch -a kulikov-a 91e13ae ?
any errors adding cert to CRL? is CRL valid if you download via GUI? any errors in General log?
I applied the patch, created a new CA, a new Cert and a CRL (and adjusted the VPN-Server config).
If I now try to revoke the Cert, I get the follwoing message:
Cannot revoke certificate. See general log for details.
The general log shows:
2022-08-07T20:18:43 Error opnsense Cert revocation error: CRL validation failed at first step.
The '.crl-verify' file still remains empty.
I can export the CRL file (no errors are shown here) and open it (it's - as expected - empty).
Thanks!
at least:
the certificate is no longer added to the revocation list
we know the step at which the error occurs
unfortunately phpseclib does not provide any debugging info (at least I did not find it in the docs) about the reasons for failed sign verification. is it possible for you to share the certificates (without private keys) of the CA and the client (perhaps phpseclib does not like one of the fields)? i will try to reproduce
thnks!
I did some more tests today - I noticed the following:
If I use the ECDSA algorithm when creating the CA, I cannot revoke any certificates afterwards - the familiar error message appears.
However, if the CA is created with the RSA algorithm, everything works as it should - no errors, I can add certificates to the CRL.
It also doesn't matter how the client certificate was created (RSA or ECDSA) - it depends on how the CA was created.
If I now use the new (RSA generated) CA in the VPN server configuration, the '.crl-verify' file is also filled accordingly and no more errors appear in the OpenVPN log.
The system cannot work with the CA certificate which was generated using the Elliptic Curve Digital Signature Algorithm (ECDSA).
ah. i think phpseclib > 3.0 supports algo other then RSA. OPN uses phpseclib 2.0.37 for now.
https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md#300---2020-12-16
so all we can to do now is check key type and throw an error if key type is not RSA?
Yeah, we should be migrating to phpseclib 3 to address this properly.
Thanks to both of you for figuring out the issue. Ticket is welcome.
Cheers,
Franco
@franco got it, thanks!
@coolmint
can you check with
opnsense-patch -a kulikov-a 18e3704
please (with 91e13ae applied)?
is it adds debug message to general log for "EC" CA (RSA should work well) crls? (works for me but it's always good to double check before making ticket)
Thanks!
Jep, you are right - the 'phpseclib' currently installed doesn't support EC.
After applying the latest patch, the general log shows the following:
2022-08-09T21:09:06 Error opnsense Cert revocation error: Only RSA key type currently supported for CRL signing.
Great - thank you for your assistance! :)