[Solved] HAProxy Error on Client Cert with CRL (SSL_ERROR_UNKNOWN_CA_ALERT)

[z3rb3rus]

Hello,
i'm new to this forum. I use OPNsense since a long time and have no issues. A half year ago i start with HAProxy and everything went fine unless i start to configure client certifcation.
I have a self signed root certificate and intermediate certificates. I created a client certificate and configure it at HAProxy on the Public Services side. So long everything works as expected. If the client not present the certificate he got an error. With the client certificate the client can visit the site.
In the last step i create in OPNSense a revocation list and use it in my public service. Unfortunatly from this time i got the error SSL_ERROR_UNKNOWN_CA_ALERT and found in the HAProxy log the error "SSL client CA chain cannot be verified".
Now i dive deeper in this error and can't found any solution. I found this post: https://forum.opnsense.org/index.php?topic=34428.0. But he disabled the CRL. This is not working for my purpose. I need the CRL's.
In the shell i tried to check the crl with the command

Code: [Select]

openssl crl -inform DER -noout -in ./662a42402a8970.71895261.crllist And i got the following error message:

Code: [Select]

27251558100992:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:1149:
27251558100992:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:/usr/src/crypto/openssl/crypto/asn1/tasn_dec.c:309:Type=X509_CRL
Did anyone get a suggestion how i got this to work?

Have anyone a solution to run HAProxy with client certificates and revocation lists?

Many Tranks in Advance.

Sincerely

Thomas

[netnut]

I have a self signed root certificate and intermediate certificates.

Did you create both Root and Intermediate in OPNsense : System : Trust ?

Does the client present it's certificate _with_ the intermediate combined (ie. both certs in single pem file) ?

Something like:

Code: [Select]

-----BEGIN CERTIFICATE-----
Client Certificate
 -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA Certificate
 -----END CERTIFICATE-----


[z3rb3rus]

Did you create both Root and Intermediate in OPNsense : System : Trust ?

I create both certificates as self signed certificate in OPNsense Trust. For the CRL i use the function of OPNsense Trust too.
What I noticed is if i create the CRL or put an Selfsigned Cert on this CRL it takes quite a while (min 30s) for the site to respond.

Does the client present it's certificate _with_ the intermediate combined (ie. both certs in single pem file) ?

I don't know if my client (firefox) present the certificate in this way. How can i check this?
For the client certificate i use the export on the OPNsense Trust.
I use the function export ca+user cert+user key in p12 format. So i think the client has all necessary information to send the cert in the right way.
If i don't use the CRL in HAProxy the certificates works fine for the authentication.

[netnut]

I create both certificates as self signed certificate in OPNsense Trust. For the CRL i use the function of OPNsense Trust too.

The OPNsense Trust store isn't by default capable of creating Authoritative certificate chains internally (Root + Intermediate), you will see duplicate Authority & Subject Key Identifiers.

What you could do, which is recommended anyway, is to create the Root certificate outside of OPNsense. After that also create the Intermediate CA externally and import both in the OPNsense Trust store. For the Root only the certificate, for the Intermediate you can choose to only import the certificate which requires you to do all certificate management externally. If you import the Intermediate with both certificate & key, you can manage all certificates below this Intermediate from the Trust store in OPNsense, which is probably the most practical.

I can highly recommend XCA for easy certificate management: https://hohnstaedt.de/xca


If you like to test fast & simple create a more simple PKI setup from the OPNsense Trust menu, with a single Root CA and no Intermediate and the client/server directly below the Root. Debug the setup from here and only if this works go to the next level and create (external) Root + Intermediate as explained above.

I don't know if my client (firefox) present the certificate in this way. How can i check this?
For the client certificate i use the export on the OPNsense Trust.
I use the function export ca+user cert+user key in p12 format. So i think the client has all necessary information to send the cert in the right way.

That export contains the cert, key and Intermediate, not the Root (see point above), did you import the Root CA manually in Firefox ? If you imported the Root manually in Firefox and the p12 you should be ok from the client side. You can check the Firefox certificate settings to see if both are there (see pic).

[z3rb3rus]

Man you are right. I got grey hairs on this. 
I make a quick try this evening. If i manage the root ca and the cert and the crl external everything work as expected. I can revoke certificates and so on. The strange thing if i import the root ca and his key to OPNSense create an cert in OPNSense, create the crl in OPNSense and put the created cert on the crl nothing happens. The cert still works?!? I think there is a strange error in the crl handling on OPNSense.
In the next days i try to manage my full setup of certificates external and come back to report my experience.
Many thanks you saved my day.

[z3rb3rus]

After a lot of trying and many night shifts here is me interim result.
Actual i manage my certificate chain with xca. But if i have more than on CA (intermediate CA's) in this chain the described error will be back.
Now i found a hint in the internet that said i have to create a crl for all intermediate ca's and the root ca in the chain. i tried this with my xca certificate setup and it seems to be working.
As next step i try this with my OPNsense cert chain.
If this will also work i come back to report.
Unfortunately, I don't have much time for such tests in the near future.
I hope this discovery help other people not spend so much time...

[z3rb3rus]

Sorry i forgot to mention, that you have to select all the crl's under the public service. For the CA the last intermediate ca is enough.

[z3rb3rus]

Now i tested it with self signed certificates from OPNsense and it worked to.
The secret is to have a crl for all root and intermediate certificates.
All these crl's have to chosen in the public service.