[Solved] Revoked cert can still connect. CRL?

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
dnilgreb
OpenVPN User
Posts: 21
Joined: Fri Mar 04, 2016 12:13 pm

[Solved] Revoked cert can still connect. CRL?

Post by dnilgreb » Mon Oct 30, 2017 9:22 am

I am running a private OpenVPN server (easy-RSA 3), and am trying to revoke a cert.
However, I am not experienced and would like som help...

I added this cert this way:

Code: Select all

./easyrsa.real build-client-full TestUser
and then I revoked it:

Code: Select all

./easyrsa.real revoke TestUser
Revocation seems to have gone well:

Code: Select all

root@openvpn_1:/usr/local/etc/openvpn/easy-rsa # ./easyrsa.real revoke TestUser

Note: using Easy-RSA configuration from: ./vars


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = TestUser


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:
Revoking Certificate 08.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
And as warned, the user can still connect.
I understand I need a CRL setup to prevent revoked certs from connecting. But how do I set that up?

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked cert can still connect. CRL?

Post by TinCanTech » Mon Oct 30, 2017 12:01 pm

See --crl-verify in The Manual v24x ..

dnilgreb
OpenVPN User
Posts: 21
Joined: Fri Mar 04, 2016 12:13 pm

Re: Revoked cert can still connect. CRL?

Post by dnilgreb » Mon Oct 30, 2017 2:31 pm

Ok. Read up a little bit on it, and created the crl.pem file in this path:

Code: Select all

/usr/local/etc/openvpn/easy-rsa/pki
Inside the index.txt file in the same path, I find this:

Code: Select all

R       271028075813Z   171030080841Z   08      unknown /CN=TestUser
So now it should not work right? R for Revoked?
But TestUser can still connect, getting the same IP and everything.
What more needs to be done in order for it to fail connection?

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked cert can still connect. CRL?

Post by TinCanTech » Mon Oct 30, 2017 3:08 pm


dnilgreb
OpenVPN User
Posts: 21
Joined: Fri Mar 04, 2016 12:13 pm

Re: Revoked cert can still connect. CRL?

Post by dnilgreb » Tue Oct 31, 2017 8:31 am

Solved!

As I read the guide on how to ask for help, I realised that I had´nt done anything in

Code: Select all

server.conf
to let the server know about the CRL.

Added this line:

Code: Select all

crl-verify /path/to/crl.pem
and reloaded the server config.
Done!
Now it works

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoked cert can still connect. CRL?

Post by TinCanTech » Tue Oct 31, 2017 11:16 am

Thanks for letting us know you found the solution 8-)

Thanks for letting me know my guide is also useful ;)

Locked