From: Josh C. <jos...@us...> - 2008-06-25 13:46:48
|
Sistemas wrote: > Hi: > > I've a problem that I could not find using Google nor openvpn-user mailing > list. I've revoked a client certificate using revoke-full: > > $ revoke-full fjr001 > Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnf > Adding Entry with serial number 02 to DB > for /C=ES/ST=Malaga/L=Malaga/O=Example, > S.L./CN=fjr001/emailAddress=web...@ex... > Revoking Certificate 02. > Data Base Updated > Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnf > fjr001.crt: /C=ES/ST=Malaga/L=Malaga/O=Example, > S.L./CN=fjr001/emailAddress=web...@ex... > error 23 at 0 depth lookup:certificate revoked > > But when I added "crl-verify crl.pem" to the OpenVPN configuration in the > server, I found that when I restarted OpenVPN, all the other client > certificates began to be revokated too: > > CRL CHECK > OK: /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./OU=Internet_Services/CN=urano.example.com/emailAddress=sis...@de... > VERIFY OK: > depth=1, /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./OU=Internet_Services/CN=urano.example.com/emailAddress=sis...@de... > CRL CHECK > FAILED: /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./CN=gam001/emailAddress=web...@ex... > is REVOKED > TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > TLS Error: TLS object -> incoming plaintext read error > TLS Error: TLS handshake failed > SIGUSR1[soft,tls-error] received, client-instance restarting > > The only thing that I don't know if is a good practice, is that I created each > certificate doing a clean-all before and putting the ca files in the key > subdirectory (so index.txt is newly created every time). > > Does anybody know where is the bug? You shouldn't run clean-all unless you want to completely start your PKI over. By running this script prior to each certificate signing you have effectively given all your certs a serial number of 1 but with different common names. Revoking is handled by serial number, not common name, so revoking a certificate with serial 01 it disables all your certificates. The index.txt file is the table that keeps track of the signed certificates. The solution to this problem is to re-issue your certificates to all nodes and do not run clean-all each time. I'd also recommend re-creating your CA since you have signed certificates out there that will no longer correspond to any certificate in the index.txt file. -- Josh |