OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of z3rb3rus »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - z3rb3rus

Pages: [1]
1
General Discussion / Re: [Solved] HAProxy Error on Client Cert with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)
« on: June 07, 2024, 06:47:42 pm »
Now i tested it with self signed certificates from OPNsense and it worked to.
The secret is to have a crl for all root and intermediate certificates.
All these crl's have to chosen in the public service.

2
General Discussion / Re: HAProxy Error on Client Certification with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)
« on: June 02, 2024, 10:29:05 pm »
Sorry i forgot to mention, that you have to select all the crl's under the public service. For the CA the last intermediate ca is enough.

3
General Discussion / Re: HAProxy Error on Client Certification with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)
« on: June 02, 2024, 10:26:34 pm »
After a lot of trying and many night shifts here is me interim result.
Actual i manage my certificate chain with xca. But if i have more than on CA (intermediate CA's) in this chain the described error will be back.
Now i found a hint in the internet that said i have to create a crl for all intermediate ca's and the root ca in the chain. i tried this with my xca certificate setup and it seems to be working.
As next step i try this with my OPNsense cert chain.
If this will also work i come back to report.
Unfortunately, I don't have much time for such tests in the near future.
I hope this discovery help other people not spend so much time...

4
General Discussion / Re: HAProxy Error on Client Certification with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)
« on: May 20, 2024, 09:39:31 pm »
Man you are right. I got grey hairs on this.  :D
I make a quick try this evening. If i manage the root ca and the cert and the crl external everything work as expected. I can revoke certificates and so on. The strange thing if i import the root ca and his key to OPNSense create an cert in OPNSense, create the crl in OPNSense and put the created cert on the crl nothing happens. The cert still works?!? I think there is a strange error in the crl handling on OPNSense.
In the next days i try to manage my full setup of certificates external and come back to report my experience.
Many thanks you saved my day. :)

5
General Discussion / Re: HAProxy Error on Client Certification with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)
« on: May 20, 2024, 09:08:30 am »
Quote from: netnut on May 20, 2024, 12:27:45 am
Did you create both Root and Intermediate in OPNsense : System : Trust ?
I create both certificates as self signed certificate in OPNsense Trust. For the CRL i use the function of OPNsense Trust too.
What I noticed is if i create the CRL or put an Selfsigned Cert on this CRL it takes quite a while (min 30s) for the site to respond.

Quote from: netnut on May 20, 2024, 12:27:45 am
Does the client present it's certificate _with_ the intermediate combined (ie. both certs in single pem file) ?
I don't know if my client (firefox) present the certificate in this way. How can i check this?
For the client certificate i use the export on the OPNsense Trust.
I use the function export ca+user cert+user key in p12 format. So i think the client has all necessary information to send the cert in the right way.
If i don't use the CRL in HAProxy the certificates works fine for the authentication.

6
General Discussion / [Solved] HAProxy Error on Client Cert with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)
« on: May 19, 2024, 05:04:38 pm »
Hello,
i'm new to this forum. I use OPNsense since a long time and have no issues. A half year ago i start with HAProxy and everything went fine unless i start to configure client certifcation.
I have a self signed root certificate and intermediate certificates. I created a client certificate and configure it at HAProxy on the Public Services side. So long everything works as expected. If the client not present the certificate he got an error. With the client certificate the client can visit the site.
In the last step i create in OPNSense a revocation list and use it in my public service. Unfortunatly from this time i got the error SSL_ERROR_UNKNOWN_CA_ALERT and found in the HAProxy log the error "SSL client CA chain cannot be verified".
Now i dive deeper in this error and can't found any solution. I found this post: https://forum.opnsense.org/index.php?topic=34428.0. But he disabled the CRL. This is not working for my purpose. I need the CRL's.
In the shell i tried to check the crl with the command
Code: [Select]
openssl crl -inform DER -noout -in ./662a42402a8970.71895261.crllist And i got the following error message:
Code: [Select]
27251558100992:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:1149:
27251558100992:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:309:Type=X509_CRL
Did anyone get a suggestion how i got this to work?

Have anyone a solution to run HAProxy with client certificates and revocation lists?

Many Tranks in Advance.

Sincerely

Thomas

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2