Why does re-issue of EasyRSA 3 certificate after revoke for OpenVPN fail?
up vote
0
down vote
favorite
The problem
I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.
Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.
OK here's some specifics:
I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.
- I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.
- I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).
- I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.
- I can successfully create all the required artifacts and create a connection with OpenVPN.
- I can successfully revoke clients so they cannot connect to the OpenVPN server.
- I use the easyrsa script to 'update-db' and 'create-crl'.
- I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.
Here are CRL and text db contents:
- Upon initialization of server
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:28:17 2018 GMT
Next Update: Nov 9 18:28:17 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
a3:95:41:69
- After issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
V 281109182955Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
V 281109183009Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:10 2018 GMT
Next Update: Nov 9 18:30:10 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
4e:77:fc:19
- After revoking configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:27 2018 GMT
Next Update: Nov 9 18:30:27 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
8e:64:6a:57
- After re-issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
V 281109183048Z C195D111FDC160DBFABD37A74C7DA816 unknown /CN=client1
V 281109183057Z 45AFBA1724B26E1B127091B9EC5E782B unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:57 2018 GMT
Next Update: Nov 9 18:30:57 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
1c:d2:2a:ec
Observations
- This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?
openvpn
add a comment |
up vote
0
down vote
favorite
The problem
I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.
Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.
OK here's some specifics:
I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.
- I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.
- I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).
- I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.
- I can successfully create all the required artifacts and create a connection with OpenVPN.
- I can successfully revoke clients so they cannot connect to the OpenVPN server.
- I use the easyrsa script to 'update-db' and 'create-crl'.
- I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.
Here are CRL and text db contents:
- Upon initialization of server
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:28:17 2018 GMT
Next Update: Nov 9 18:28:17 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
a3:95:41:69
- After issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
V 281109182955Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
V 281109183009Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:10 2018 GMT
Next Update: Nov 9 18:30:10 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
4e:77:fc:19
- After revoking configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:27 2018 GMT
Next Update: Nov 9 18:30:27 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
8e:64:6a:57
- After re-issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
V 281109183048Z C195D111FDC160DBFABD37A74C7DA816 unknown /CN=client1
V 281109183057Z 45AFBA1724B26E1B127091B9EC5E782B unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:57 2018 GMT
Next Update: Nov 9 18:30:57 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
1c:d2:2a:ec
Observations
- This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?
openvpn
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
The problem
I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.
Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.
OK here's some specifics:
I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.
- I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.
- I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).
- I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.
- I can successfully create all the required artifacts and create a connection with OpenVPN.
- I can successfully revoke clients so they cannot connect to the OpenVPN server.
- I use the easyrsa script to 'update-db' and 'create-crl'.
- I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.
Here are CRL and text db contents:
- Upon initialization of server
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:28:17 2018 GMT
Next Update: Nov 9 18:28:17 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
a3:95:41:69
- After issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
V 281109182955Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
V 281109183009Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:10 2018 GMT
Next Update: Nov 9 18:30:10 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
4e:77:fc:19
- After revoking configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:27 2018 GMT
Next Update: Nov 9 18:30:27 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
8e:64:6a:57
- After re-issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
V 281109183048Z C195D111FDC160DBFABD37A74C7DA816 unknown /CN=client1
V 281109183057Z 45AFBA1724B26E1B127091B9EC5E782B unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:57 2018 GMT
Next Update: Nov 9 18:30:57 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
1c:d2:2a:ec
Observations
- This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?
openvpn
The problem
I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.
Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.
OK here's some specifics:
I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.
- I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.
- I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).
- I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.
- I can successfully create all the required artifacts and create a connection with OpenVPN.
- I can successfully revoke clients so they cannot connect to the OpenVPN server.
- I use the easyrsa script to 'update-db' and 'create-crl'.
- I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.
Here are CRL and text db contents:
- Upon initialization of server
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:28:17 2018 GMT
Next Update: Nov 9 18:28:17 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
a3:95:41:69
- After issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
V 281109182955Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
V 281109183009Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:10 2018 GMT
Next Update: Nov 9 18:30:10 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
4e:77:fc:19
- After revoking configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:27 2018 GMT
Next Update: Nov 9 18:30:27 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
8e:64:6a:57
- After re-issuing configs for 2 clients:
$> cat auth/pki/index.txt
V 281109182216Z FF42240511ED8204215894082114D4A4 unknown /CN=server
R 281109182955Z 181112183024Z B9BEBF692BF00C05E7C589E63A77D555 unknown /CN=client1
R 281109183009Z 181112183027Z 2CB6E6C5C31195943D3340008CC46DA5 unknown /CN=client2
V 281109183048Z C195D111FDC160DBFABD37A74C7DA816 unknown /CN=client1
V 281109183057Z 45AFBA1724B26E1B127091B9EC5E782B unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=domain
Last Update: Nov 12 18:30:57 2018 GMT
Next Update: Nov 9 18:30:57 2028 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
DirName:/CN=domain
serial:A0:23:32:51:DD:EF:C4:98
Revoked Certificates:
Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
Revocation Date: Nov 12 18:30:27 2018 GMT
Serial Number: B9BEBF692BF00C05E7C589E63A77D555
Revocation Date: Nov 12 18:30:24 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
1c:d2:2a:ec
Observations
- This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?
openvpn
openvpn
edited Nov 12 at 21:58
asked Nov 11 at 18:53
karlchilders
44
44
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.
However, it still remains that one cannot issue new certs after a revoke for the same client.
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.
However, it still remains that one cannot issue new certs after a revoke for the same client.
add a comment |
up vote
0
down vote
accepted
It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.
However, it still remains that one cannot issue new certs after a revoke for the same client.
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.
However, it still remains that one cannot issue new certs after a revoke for the same client.
It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.
However, it still remains that one cannot issue new certs after a revoke for the same client.
answered Nov 19 at 17:36
karlchilders
44
44
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53252059%2fwhy-does-re-issue-of-easyrsa-3-certificate-after-revoke-for-openvpn-fail%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown