Der OPNSense community,
We use dedicated machine without network connectivity to create and revoke OpenVPN certificates. Up to version 22.1 our workflow was always to generate crl.pem on the off-line mahine and manually upload it to the OPNSense gateway.
With 22.7 when going to System => Trust => Revocation and clicking on edit of existing CRL, there is no option to update its content. See attached picture. The workaround seems to be to import new CRL, and than modify the OpenVPN to use that new CRL and than delete the old one.
It was much easier, when we could just edit the existing one. Any hints?
Thanks,
Radek
> there is no option to update its content.
I'm not sure what you mean: there is a selection for a certificate, a status code and a save button. What more do you need?
Cheers,
Franco
Dear Franco,
Thank you for follow up and sorry for taking a while to respond. I needed to setup old version of OPNSense (21.7.1) to be able to tell you, how exactly the missing field was called in the older version.
It was called "CRL Data" and you get to it by simply clicking edit on imported CRL certificate. Please see attached screenshot. It is the field which content was erased using red brush.
I hope it is clear what we are missing now. Please let me know, if we can help in any way to clarify our issue. It would be really great, to have this functionality back.
Thanks,
Radek
Hi Radek,
CRL Data is for imported CRLs. For internal CRLs, you cannot later provide binary blobs but you can edit the certificates included...
Cheers,
Franco
Hi Franco,
I am trying to edit imported CRL, but could it be that due to some bug which was introduced in version 22.7 the GUI think that this is internal CRL?
What I am trying to say, same steps works perfectly in 21.7 but do not work in 22.7.
Thanks,
Radek
looks like missed parentheses at
https://github.com/opnsense/core/blob/7333aa9c40e5c9d74e47b80b85a59014283369d2/src/etc/inc/certs.inc#L666
so all crls treated as internal
will check
Hi Fright,
This could easily be - thank you so so much for looking into it!!! Let me know, if you want me to test on 22.7.5 which does not contain https://github.com/opnsense/core/commit/c3040290ecdff9d4faa92bd3af933427cdd3f756 which is adding the line you mentioned.
Thanks,
Radek
Hi Radek,
Looks like @AdSchellevis never rests, so you can try to check with
opnsense-patch 5cd36a1
;)
Nice catch, thanks. This patch will be added to 22.7.9 of course.
Cheers,
Franco
Dear Fright, Franco and AdSchellevis,
You made my day. I just tested opnsense-patch 5cd36a1 and it WORKS AGAIN!!!
THANK YOU,
Radek
Well, sorry about that. We will be more careful with such PHP 8 warning fixes in the future.
Suffice to say, the semantics around ?? are a bit strange, but parenthesis make it easier to read as well.
Cheers,
Franco