Opened 4 years ago

Closed 3 years ago

#822 closed Bug / Defect (fixed)

Cannot load certificate after password change on AD

Reported by: skodde Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi,

I've successfully tested a configuration in which the client certificate is installed in the Current User store on Windows and it is retrieved via the cryptoapicert option.

Everything works fine on Windows 7 and 10 with OpenVPN 2.4.0 and previous versions, however, as soon as the AD user changes their password (on the same local machine), OpenVPN cannot load the certificate anymore.

This is the error I get:

OpenSSL:error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Key not valid for use in specified state.
Cannot load certificate "THUMB:xx ... xx" from Microsoft Certificate Store

The certificate is correctly present in certmgr after the password change.
I've tried locking, logging out, rebooting, shutting down, nothing helps.
After reinstalling the certificate, everything works perfectly fine again.

The error is always reproducible in different scenarios, connected to the AD network directly or via OpenVPN.

I expect everything would work using the Local Machine store, but I need to use the Current User one.

Thanks!

Change History (5)

comment:1 Changed 4 years ago by selvanair

Looks like the private key is not readable after password change. Windows use DPAPI to encrypt private key and somehow the user's master key used for that may not be getting re-wrapped after a password change.

I do not think this is a problem with OpenVPN -- cryptoapicert does work with domain users.

comment:2 Changed 4 years ago by skodde

I can confirm that the issue is related to this Samba bug (fixed as of version 4.2.0): https://bugzilla.samba.org/show_bug.cgi?id=10980

comment:3 Changed 3 years ago by Gert Döring

So if I'm reading this right, we can close this ticket as the bug is elsewhere?

comment:4 in reply to:  3 Changed 3 years ago by skodde

Replying to cron2:

So if I'm reading this right, we can close this ticket as the bug is elsewhere?

Yes, thanks to #openvpn-devel for helping figure this out!

comment:5 Changed 3 years ago by Gert Döring

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.