[Solved] Revoked cert can still connect. CRL?

Samples of working configurations.
Locked
dnilgreb
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 04, 2016 12:13 pm

[Solved] Revoked cert can still connect. CRL?

Post by dnilgreb » Mon Oct 30, 2017 9:22 am

I am running a private OpenVPN server (easy-RSA 3), and am trying to revoke a cert.
However, I am not experienced and would like som help...

I added this cert this way:

Code: Select all

./easyrsa.real build-client-full TestUser
and then I revoked it:

Code: Select all

./easyrsa.real revoke TestUser
Revocation seems to have gone well:

Code: Select all

root@openvpn_1:/usr/local/etc/openvpn/easy-rsa # ./easyrsa.real revoke TestUser

Note: using Easy-RSA configuration from: ./vars


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = TestUser


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:
Revoking Certificate 08.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
And as warned, the user can still connect.
I understand I need a CRL setup to prevent revoked certs from connecting. But how do I set that up?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked cert can still connect. CRL?

Post by TinCanTech » Mon Oct 30, 2017 12:01 pm

See --crl-verify in The Manual v24x ..

dnilgreb
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 04, 2016 12:13 pm

Re: Revoked cert can still connect. CRL?

Post by dnilgreb » Mon Oct 30, 2017 2:31 pm

Ok. Read up a little bit on it, and created the crl.pem file in this path:

Code: Select all

/usr/local/etc/openvpn/easy-rsa/pki
Inside the index.txt file in the same path, I find this:

Code: Select all

R       271028075813Z   171030080841Z   08      unknown /CN=TestUser
So now it should not work right? R for Revoked?
But TestUser can still connect, getting the same IP and everything.
What more needs to be done in order for it to fail connection?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked cert can still connect. CRL?

Post by TinCanTech » Mon Oct 30, 2017 3:08 pm


dnilgreb
OpenVpn Newbie
Posts: 5
Joined: Fri Mar 04, 2016 12:13 pm

Re: Revoked cert can still connect. CRL?

Post by dnilgreb » Tue Oct 31, 2017 8:31 am

Solved!

As I read the guide on how to ask for help, I realised that I had´nt done anything in

Code: Select all

server.conf
to let the server know about the CRL.

Added this line:

Code: Select all

crl-verify /path/to/crl.pem
and reloaded the server config.
Done!
Now it works

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked cert can still connect. CRL?

Post by TinCanTech » Tue Oct 31, 2017 11:16 am

Thanks for letting us know you found the solution 8-)

Thanks for letting me know my guide is also useful ;)

Locked