24.7.1 openvpn SSL error cerificates are revoked

[c-mu]

Hello,
A colleague installed the update from 24.7 to 24.7.1 during the night. It was this morning when I noticed that the OpenVPN connections can no longer be established. All certificates report "error=cerificate revoked".
We couldn't find any indication of why this was suddenly the case, so I set "Peer Certificate Revocation List = none" in the server instance. Since then the login has been working again.
We are still using the legacy OpenVPN server instances. Did I miss something critical in the changelog?

Code Select Expand

2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3733 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>:3728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS handshake failed
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-08-16T07:24:54 Error openvpn_server8 <ip-address>41728 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<city>, L=<city>, O=<org>, emailAddress=<e-mail>, CN=gateway-internal-ca, serial=0
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 Fatal TLS error (check_tls_errors_co), restarting
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS handshake failed
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS Error: TLS object -> incoming plaintext read error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 TLS_ERROR: BIO read tls_read_plaintext error
2024-08-16T07:24:53 Error openvpn_server8 <ip-address>:3737 OpenSSL: error:0A000086:SSL routines::certificate verify failed:

[franco]

Well, if you look under System: Trust: Revocation for that CA's CRL are certificates revoked or not?


Cheers,
Franco

[c-mu]

They are note. Thats why I'm wondering what happened...
I will create a new instance (legacy) for testing with all the same settings as the other plus revokation list and try to figure out whats going on.

[TheSnats]

I have exactly the same error, although the certificates are not revoked and are trusted on the client. I have also tried legacy and instances, but unfortunately without success. This applies to the Road-Warrior setup. My S2S connection runs without any problems.

Have you been able to find out anything yet?

[c-mu]

No, my test instanz wont work with Peer Certificate Revocation List. At the moment I dont have any idea how to manage/fix this. I'm thinking about to renew all client certs with a new CA.