Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#1142 closed Bug / Defect (notabug)

Cannnot re-issue ovpn config after revoke

Reported by: KarlChilders Owned by: Eric Crist
Priority: major Milestone: release 2.4.4
Component: easy-rsa Version: easyrsa-3.x
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: revoke, certificate, configuration
Cc:

Description

The problem

I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.

Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.

OK here's some specifics:

I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.

  • I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.
  • I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).
  • I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files.
  • I have tried the procedure when
    • The two hierarchies are completely independent.
    • The requestor hierarchy is a subdir of the CA hierarchy and, thus, share the same vars file.
  • I can successfully create all the required artifacts and create a connection with OpenVPN.
  • I can successfully revoke clients so they cannot connect to the OpenVPN server.
  • I use the easyrsa script to 'update-db' and 'create-crl'.
  • I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.

Here are CRL and text db contents:

  • Upon initialization of server
     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:28:17 2018 GMT
             Next Update: Nov  9 18:28:17 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     No Revoked Certificates.
         Signature Algorithm: sha256WithRSAEncryption
              76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
              e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
              99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
              70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
              ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
              a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
              5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
              42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
              5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
              80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
              7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
              e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
              d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
              04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
              a3:95:41:69
  • After issuing configs for 2 clients:
     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     V	281109182955Z		B9BEBF692BF00C05E7C589E63A77D555	unknown	/CN=client1
     V	281109183009Z		2CB6E6C5C31195943D3340008CC46DA5	unknown	/CN=client2
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:30:10 2018 GMT
             Next Update: Nov  9 18:30:10 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     No Revoked Certificates.
         Signature Algorithm: sha256WithRSAEncryption
              06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
              a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
              31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
              94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
              37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
              e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
              55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
              42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
              8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
              e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
              1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
              22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
              7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
              e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
              4e:77:fc:19
  • After revoking configs for 2 clients:
     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     R	281109182955Z	181112183024Z	B9BEBF692BF00C05E7C589E63A77D555	unknown	/CN=client1
     R	281109183009Z	181112183027Z	2CB6E6C5C31195943D3340008CC46DA5	unknown	/CN=client2
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:30:27 2018 GMT
             Next Update: Nov  9 18:30:27 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     Revoked Certificates:
         Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
             Revocation Date: Nov 12 18:30:27 2018 GMT
         Serial Number: B9BEBF692BF00C05E7C589E63A77D555
             Revocation Date: Nov 12 18:30:24 2018 GMT
         Signature Algorithm: sha256WithRSAEncryption
              70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
              95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
              eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
              77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
              eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
              a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
              1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
              50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
              22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
              98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
              25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
              a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
              12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
              88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
              8e:64:6a:57
  • After re-issuing configs for 2 clients:
     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     R	281109182955Z	181112183024Z	B9BEBF692BF00C05E7C589E63A77D555	unknown	/CN=client1
     R	281109183009Z	181112183027Z	2CB6E6C5C31195943D3340008CC46DA5	unknown	/CN=client2
     V	281109183048Z		C195D111FDC160DBFABD37A74C7DA816	unknown	/CN=client1
     V	281109183057Z		45AFBA1724B26E1B127091B9EC5E782B	unknown	/CN=client2
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:30:57 2018 GMT
             Next Update: Nov  9 18:30:57 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     Revoked Certificates:
         Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
             Revocation Date: Nov 12 18:30:27 2018 GMT
         Serial Number: B9BEBF692BF00C05E7C589E63A77D555
             Revocation Date: Nov 12 18:30:24 2018 GMT
         Signature Algorithm: sha256WithRSAEncryption
              73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
              b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
              25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
              f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
              1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
              d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
              8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
              e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
              bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
              43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
              d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
              2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
              8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
              ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
              1c:d2:2a:ec

Observations

  • This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?

Change History (16)

comment:1 Changed 5 years ago by KarlChilders

Note: EasyRSA 3.0.5

comment:2 Changed 5 years ago by Gert Döring

Why on earth would you revoke and reissue certificates to handle a server IP change?

If you do not like DNS, you can still just replace the IP address in the .ovpn file, keeping the old certificate...

comment:4 in reply to:  2 Changed 5 years ago by KarlChilders

Replying to Gert Döring:

Why on earth would you revoke and reissue certificates to handle a server IP change?

If you do not like DNS, you can still just replace the IP address in the .ovpn file, keeping the old certificate...

Thank you for your kind suggestion.

Still, the fact remains, that after a revoke, a new configuration with new certificates cannot be issued. This is different from the behavior in Ubuntu 16.04 (EasyRSA 2/OpanVPN 2.3).

comment:5 Changed 5 years ago by tct

EasyRSA 3: randomise serial number:
https://github.com/OpenVPN/easy-rsa/blob/b38f65927c377c8bb55510229f0cbb8208c756a9/easyrsa3/easyrsa#L673

EasyRSA 2: probably does not.

@KarlChilders? : "We" are still curious, under what circumstances would you choose to re-issue the bulk of your PKI for a simple IP change ?

Even a --server can --float .. right ?

Last edited 5 years ago by tct (previous) (diff)

comment:6 Changed 5 years ago by KarlChilders

EasyRSA 3: randomise serial number:
https://github.com/OpenVPN/easy-rsa/blob/b38f65927c377c8bb55510229f0cbb8208c756a9/easyrsa3/easyrsa#L673

EasyRSA 2: probably does not.

I believe EasyRSA 2 used a one-up

@KarlChilders?? : "We" are still curious, under what circumstances would you choose to re-issue the bulk of your PKI for a simple IP change ?

I assumed (incorrectly) that any change to the config would invalidate everything. @Gert Doëring pointed out that assumption was incorrect. As a Java developer, I am abused of the concept of digital signatures where everything in a jar is protected by what amounts to a secure checksum. Please pardon my ignorance. Sometimes, even a "stupid" mistake can reveal weaknesses in the code.

I know "you" are focused on the config change fact right now. Please try to look past that right now and concentrate on the issue in the title: Cannnot (sic) re-issue ovpn config after revoke. Is this not a bug?

Believe me, I am only trying to help. "You" do want to improve "your" software ... right?

Even a --server can --float .. right ?

This cryptic statement is not helpful to me. Can you be more specific? It might help me to be better informed.

Last edited 5 years ago by KarlChilders (previous) (diff)

comment:7 in reply to:  6 Changed 5 years ago by tct

Replying to KarlChilders:

Even a --server can --float .. right ?

This cryptic statement is not helpful to me. Can you be more specific? It might help me to be better informed.

It is not cryptic at all.
--server is the option used to denote a standard TLS server.
--float is the option which allows peers to change IP address, due to DHCP or other.

We recommend users read about options they do not understand in the manual.

Replying to KarlChilders:

I know "you" are focused on the config change fact right now. Please try to look past that right now and concentrate on the issue in the title: Cannnot (sic) re-issue ovpn config after revoke. Is this not a bug?

No, it is not a bug but it is an acceptable change of behaviour between EasyRSA 2.x and 3.x

Replying to KarlChilders:

I assumed (incorrectly) that any change to the config would invalidate everything

At least you learned something new that will help you in future.

Last edited 5 years ago by tct (previous) (diff)

comment:8 Changed 5 years ago by KarlChilders

No, it is not a bug but it is an acceptable change of behaviour between EasyRSA 2.x and 3.x

OK. But it seems a little heavy handed to have to rebuild the entire PKI just to reissue a certificate for one client.

Also, it is mysterious to me that index.txt contains ‘V’ records for clients after ‘R’ records for the same clients. (See last example above)

I leave with the distinct impression that you’re not listening.

comment:9 in reply to:  8 Changed 5 years ago by tct

This trac system is for the tracking of bugs and I believe we have suitably established that the problem you are experiencing is not a bug.

For my part I will be switching back to your Forum thread for continued user support.

comment:10 Changed 5 years ago by KarlChilders

If it is not a bug, then please point me to documentation to explain how to re-issue a certificate to a client that has been revoked. I cannot find such instructions.

comment:11 Changed 5 years ago by tct

The documentation you require does not exist because what you are trying to do is not possible with EasyRSA 3.

If you require EasyRSA 2 functionality then use v2 not v3.

Please refer to your forum thread for continued user support.

As the last resort, you could raise an issue @ easy-rsa on git.

Version 3, edited 5 years ago by tct (previous) (next) (diff)

comment:12 in reply to:  10 Changed 5 years ago by tct

Replying to KarlChilders:

If it is not a bug, then please point me to documentation to explain how to re-issue a certificate to a client that has been revoked. I cannot find such instructions.

This may be of use to you:
https://github.com/OpenVPN/easy-rsa/commit/1ab456a46d3f8e14aba2053ae5b78507eb3fb940

comment:13 Changed 4 years ago by Gert Döring

@tincantech: can this be closed?

comment:14 Changed 4 years ago by tct

In my opinion, this can be closed because it is not a bug with any software, it is a simple case of mismanagement by the administrator in question. If there really is a bug then it would be best reported to Easy-RSA on github.

Last edited 4 years ago by tct (previous) (diff)

comment:15 Changed 4 years ago by tct

Resolution: notabug
Status: newclosed

comment:16 Changed 4 years ago by tct

From the original ticket:

Observations

This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?

All certificates per PKI have unique serial numbers, that is how x509 certificates work. This is not a bug.

Note: See TracTickets for help on using tickets.