OpenVPN Support Forum

Posted: **Wed Nov 14, 2018 4:30 am**

The problem

I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.

Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.

OK here's some specifics:

I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.

I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.
I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).
I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.
I can successfully create all the required artifacts and create a connection with OpenVPN.
I can successfully revoke clients so they cannot connect to the OpenVPN server.
I use the easyrsa script to 'update-db' and 'create-crl'.
I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.

Here are CRL and text db contents:

Upon initialization of server

Code: Select all

     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:28:17 2018 GMT
             Next Update: Nov  9 18:28:17 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     No Revoked Certificates.
         Signature Algorithm: sha256WithRSAEncryption
              76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
              e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
              99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
              70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
              ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
              a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
              5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
              42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
              5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
              80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
              7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
              e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
              d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
              04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
              a3:95:41:69

After issuing configs for 2 clients:

Code: Select all

     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     V	281109182955Z		B9BEBF692BF00C05E7C589E63A77D555	unknown	/CN=client1
     V	281109183009Z		2CB6E6C5C31195943D3340008CC46DA5	unknown	/CN=client2
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:30:10 2018 GMT
             Next Update: Nov  9 18:30:10 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     No Revoked Certificates.
         Signature Algorithm: sha256WithRSAEncryption
              06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
              a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
              31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
              94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
              37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
              e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
              55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
              42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
              8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
              e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
              1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
              22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
              7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
              e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
              4e:77:fc:19

After revoking configs for 2 clients:

Code: Select all

     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     R	281109182955Z	181112183024Z	B9BEBF692BF00C05E7C589E63A77D555	unknown	/CN=client1
     R	281109183009Z	181112183027Z	2CB6E6C5C31195943D3340008CC46DA5	unknown	/CN=client2
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:30:27 2018 GMT
             Next Update: Nov  9 18:30:27 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     Revoked Certificates:
         Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
             Revocation Date: Nov 12 18:30:27 2018 GMT
         Serial Number: B9BEBF692BF00C05E7C589E63A77D555
             Revocation Date: Nov 12 18:30:24 2018 GMT
         Signature Algorithm: sha256WithRSAEncryption
              70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
              95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
              eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
              77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
              eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
              a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
              1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
              50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
              22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
              98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
              25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
              a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
              12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
              88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
              8e:64:6a:57

After re-issuing configs for 2 clients:

Code: Select all

     $> cat auth/pki/index.txt
     V	281109182216Z		FF42240511ED8204215894082114D4A4	unknown	/CN=server
     R	281109182955Z	181112183024Z	B9BEBF692BF00C05E7C589E63A77D555	unknown	/CN=client1
     R	281109183009Z	181112183027Z	2CB6E6C5C31195943D3340008CC46DA5	unknown	/CN=client2
     V	281109183048Z		C195D111FDC160DBFABD37A74C7DA816	unknown	/CN=client1
     V	281109183057Z		45AFBA1724B26E1B127091B9EC5E782B	unknown	/CN=client2
     $> openssl crl -in auth/pki/crl.pem -text -noout"
     Certificate Revocation List (CRL):
             Version 2 (0x1)
         Signature Algorithm: sha256WithRSAEncryption
             Issuer: /CN=domain
             Last Update: Nov 12 18:30:57 2018 GMT
             Next Update: Nov  9 18:30:57 2028 GMT
             CRL extensions:
                 X509v3 Authority Key Identifier: 
                     keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                     DirName:/CN=domain
                     serial:A0:23:32:51:DD:EF:C4:98
     
     Revoked Certificates:
         Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
             Revocation Date: Nov 12 18:30:27 2018 GMT
         Serial Number: B9BEBF692BF00C05E7C589E63A77D555
             Revocation Date: Nov 12 18:30:24 2018 GMT
         Signature Algorithm: sha256WithRSAEncryption
              73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
              b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
              25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
              f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
              1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
              d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
              8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
              e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
              bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
              43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
              d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
              2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
              8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
              ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
              1c:d2:2a:ec

Observations

This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?

Posted: **Mon Nov 19, 2018 2:35 pm**

KarlChilders wrote: ↑
Wed Nov 14, 2018 4:30 am
Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers

Where ?

Posted: **Mon Nov 19, 2018 4:44 pm**

Please see the last example. We see that the serial numbers have changed for the clients.

Posted: **Mon Nov 19, 2018 6:58 pm**

You have new certificates with new serial numbers but nothing has "changed " ..

http://xyproblem.info/

Posted: **Mon Nov 19, 2018 10:32 pm**

KarlChilders wrote: ↑
Wed Nov 14, 2018 4:30 am
Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change

We are curios why you do this ..

kitsune1 | wrote:But look at Trac 1142 -- feel like saying: "Burn not your house to fright the mouse away"

Posted: **Wed Nov 21, 2018 6:24 pm**

OK. I admit a certain amount of naiveté on my part. I learned that I didn't need to "Burn ... [my] house to fright (sic) the mouse away." However, I did learn that I cannot reissue a certificate to a client after it has been revoked. I can think of a couple of use cases where that might be a viable scenario. Is revocation is meant to be permanent?

TinCanTech wrote:You have new certificates with new serial numbers but nothing has "changed " ..

Huh? I thought the change was that a client was revoked.

Posted: **Wed Nov 21, 2018 7:11 pm**

KarlChilders wrote: ↑
Wed Nov 21, 2018 6:24 pm
I did learn that I cannot reissue a certificate to a client after it has been revoked. I can think of a couple of use cases where that might be a viable scenario

This is an opinion which you can raise @ easy-rsa on git.

KarlChilders wrote: ↑
Wed Nov 21, 2018 6:24 pm
Is revocation is meant to be permanent?

Yes, if you require a temporary solution then you need another way to do it.

The absolute best thing you can do is learn how EasyRSA works, which is a challenge that a Java Developer should be able to accomplish in less than one half of an hour. (At least theoretically)

Posted: **Wed Nov 21, 2018 7:23 pm**

TinCanTech wrote: ↑
Mon Nov 19, 2018 6:58 pm
You have new certificates with new serial numbers but nothing has "changed " ..

http://xyproblem.info/

Obviously, I asked question X (Why can’t I reissue after revoke?). Instead, I got the answer to question Y (How do I change the server IP for clients?).

Posted: **Wed Nov 21, 2018 7:26 pm**

TinCanTech wrote: ↑
Wed Nov 21, 2018 7:11 pm

The absolute best thing you can do is learn how EasyRSA works, which is a challenge that a Java Developer should be able to accomplish in less than one half of an hour. (At least theoretically)

I don’t understand the snark here. I came here assuming we could get an answer for the community.

Posted: **Wed Nov 21, 2018 7:36 pm**

You must understand by now that, what you want is absurd.

I say this from the point of view that, I only partially understand what it is you are trying to accomplish.
There are obviously steps in "Your process" which are fundamentally incompatible with EasyRSA 3.
This is absolutely due to the fact that EasyRSA randomises the serial numbers of certificates.

Posted: **Wed Nov 21, 2018 7:41 pm**

KarlChilders wrote: ↑
Wed Nov 21, 2018 7:23 pm
Obviously, I asked question X (Why can’t I reissue after revoke?). Instead, I got the answer to question Y (How do I change the server IP for clients?).

Concentrate ...

KarlChilders wrote: ↑
Wed Nov 21, 2018 7:23 pm
I asked question X (Why can’t I reissue after revoke?)

Which we explained .. I hope,

KarlChilders wrote: ↑
Wed Nov 21, 2018 7:23 pm
I got the answer to question Y (How do I change the server IP for clients?)

Which you now understand has nothing to do with your initial problem.

The XY problem is more valid now than ever.

Posted: **Sat Mar 14, 2020 5:37 pm**

I know this is an old post, but I am facing a similar issue as described, but an entirely different scenario.

I have a decent understanding of PKI and maintain my own private Microsoft AD CA and have revoked and re-issued certificates using the same Subject Name without issues.

On my OpenVPN server, I use easy-rsa 3.0 to manually manage certificates used by various servers for site to site VPN tunnels.

I just recently was setting up a new server to connect to my VPN tunnel, but I accidentally issued the new certificate as a server cert instead of a client cert. My OpenVPN config does not allow this as a client cert is required. So I revoked the original server cert and then issued a new client cert correctly, using the same subject name.

The original certificate was created with:
./pkitool --server CERNAME

To revoke the certificate, I used:
./revoke-full CERTNAME

This returned the expected "error 23: certificate revoked" and the index.txt file was updated.

I then issued a new client certificate:
./pkitool CERTNAME

I used openssl to read and verify the new Certificate properties such as date, serial, subject name, etc.

However, after installing the new cert and key on the client side, and updating my CRL, the OpenVPN server is now rejecting the TLS handshake due to a revoked certificate. I have confirmed that the old cert serial is listed in index.txt as R and the new cert serial is listed next with V. I've also confirmed there are no duplicate serials that were previously revoked which conflict with the new cert.

It seems that OpenVPN is only checking the subject name for revocation checks rather than verifying the serial numbers against the CRL. I could be totally wrong on that, but that is what it seems to me.

I can provide any config files or other evidence that may help.

Unless I have a completely warped understanding of PKI, revocation of a certificate should not prevent new certificates from being issued with the same Subject Name, so I would expect that the new cert should work while the old cert, if attempted, would result in the revocation error.

Thanks in advance for any advice or insight the community may be able to provide.

Posted: **Sat Mar 14, 2020 6:34 pm**

jecal22 wrote: ↑
Sat Mar 14, 2020 5:37 pm
Unless I have a completely warped understanding of PKI, revocation of a certificate should not prevent new certificates from being issued with the same Subject Name

Warp Factor 9 Scotty !

Posted: **Sat Mar 21, 2020 12:40 pm**

yes post to the wrong one

OpenVPN Support Forum

Cannot re-issue config after revoke

Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke

Re: Cannot re-issue config after revoke