Messages

Now i tested it with self signed certificates from OPNsense and it worked to.
The secret is to have a crl for all root and intermediate certificates.
All these crl's have to chosen in the public service.

Sorry i forgot to mention, that you have to select all the crl's under the public service. For the CA the last intermediate ca is enough.

After a lot of trying and many night shifts here is me interim result.
Actual i manage my certificate chain with xca. But if i have more than on CA (intermediate CA's) in this chain the described error will be back.
Now i found a hint in the internet that said i have to create a crl for all intermediate ca's and the root ca in the chain. i tried this with my xca certificate setup and it seems to be working.
As next step i try this with my OPNsense cert chain.
If this will also work i come back to report.
Unfortunately, I don't have much time for such tests in the near future.
I hope this discovery help other people not spend so much time...

Man you are right. I got grey hairs on this.  :D
I make a quick try this evening. If i manage the root ca and the cert and the crl external everything work as expected. I can revoke certificates and so on. The strange thing if i import the root ca and his key to OPNSense create an cert in OPNSense, create the crl in OPNSense and put the created cert on the crl nothing happens. The cert still works?!? I think there is a strange error in the crl handling on OPNSense.
In the next days i try to manage my full setup of certificates external and come back to report my experience.
Many thanks you saved my day. :)

Did you create both Root and Intermediate in OPNsense : System : Trust ?

I create both certificates as self signed certificate in OPNsense Trust. For the CRL i use the function of OPNsense Trust too.
What I noticed is if i create the CRL or put an Selfsigned Cert on this CRL it takes quite a while (min 30s) for the site to respond.

Does the client present it's certificate _with_ the intermediate combined (ie. both certs in single pem file) ?

I don't know if my client (firefox) present the certificate in this way. How can i check this?
For the client certificate i use the export on the OPNsense Trust.
I use the function export ca+user cert+user key in p12 format. So i think the client has all necessary information to send the cert in the right way.
If i don't use the CRL in HAProxy the certificates works fine for the authentication.

[SSL_ERROR_UNKNOWN_CA_ALERT]

Hello,
i'm new to this forum. I use OPNsense since a long time and have no issues. A half year ago i start with HAProxy and everything went fine unless i start to configure client certifcation.
I have a self signed root certificate and intermediate certificates. I created a client certificate and configure it at HAProxy on the Public Services side. So long everything works as expected. If the client not present the certificate he got an error. With the client certificate the client can visit the site.
In the last step i create in OPNSense a revocation list and use it in my public service. Unfortunatly from this time i got the error SSL_ERROR_UNKNOWN_CA_ALERT and found in the HAProxy log the error "SSL client CA chain cannot be verified".
Now i dive deeper in this error and can't found any solution. I found this post: https://forum.opnsense.org/index.php?topic=34428.0. But he disabled the CRL. This is not working for my purpose. I need the CRL's.
In the shell i tried to check the crl with the command

Code Select Expand

openssl crl -inform DER -noout -in ./662a42402a8970.71895261.crllist And i got the following error message:

Code Select Expand

27251558100992:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:1149:
27251558100992:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:309:Type=X509_CRL

Did anyone get a suggestion how i got this to work?

Have anyone a solution to run HAProxy with client certificates and revocation lists?

Many Tranks in Advance.

Sincerely

Thomas