Sistemas wrote:
Hi:I've a problem that I could not find using Google nor openvpn-user mailing list. I've revoked a client certificate using revoke-full:$ revoke-full fjr001 Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnfAdding Entry with serial number 02 to DB for /C=ES/ST=Malaga/L=Malaga/O=Example, S.L./CN=fjr001/emailAddress=webmas...@example.comRevoking Certificate 02. Data Base Updated Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnffjr001.crt: /C=ES/ST=Malaga/L=Malaga/O=Example, S.L./CN=fjr001/emailAddress=webmas...@example.comerror 23 at 0 depth lookup:certificate revokedBut when I added "crl-verify crl.pem" to the OpenVPN configuration in the server, I found that when I restarted OpenVPN, all the other client certificates began to be revokated too:CRL CHECK OK: /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./OU=Internet_Services/CN=urano.example.com/emailAddress=siste...@dedaloingenieros.com VERIFY OK: depth=1, /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./OU=Internet_Services/CN=urano.example.com/emailAddress=siste...@dedaloingenieros.com CRL CHECK FAILED: /C=ES/ST=Malaga/L=Malaga/O=Ejemplo__S.L./CN=gam001/emailAddress=webmas...@example.com is REVOKED TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returnedTLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, client-instance restartingThe only thing that I don't know if is a good practice, is that I created each certificate doing a clean-all before and putting the ca files in the key subdirectory (so index.txt is newly created every time).Does anybody know where is the bug?
You shouldn't run clean-all unless you want to completely start your PKI over. By running this script prior to each certificate signing you have effectively given all your certs a serial number of 1 but with different common names. Revoking is handled by serial number, not common name, so revoking a certificate with serial 01 it disables all your certificates. The index.txt file is the table that keeps track of the signed certificates.
The solution to this problem is to re-issue your certificates to all nodes and do not run clean-all each time. I'd also recommend re-creating your CA since you have signed certificates out there that will no longer correspond to any certificate in the index.txt file.
-- Josh
signature.asc
Description: OpenPGP digital signature
