The user has been temporarily granted remote access using OpenVPN. After the functions were performed, the user's keys were moved to the /etc/openvpn/easy-rsa/keys/revoked folder. Subsequently, the user needed access again and these keys (.crt, .csr, .key) were moved to /etc/openvpn/easy-rsa/keys/ and /etc/openvpn/ccd .

But in the server side logs (Ubuntu) it is persistently issued that the key is revoked:

Mon Aug 1 16:30:40 2016 MULTI: multi_create_instance called Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Re-using SSL/TLS context Mon Aug 1 16:30:40 2016 79.79.79.13:52015 LZO compression initialized Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ] Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Local Options hash (VER=V4): '360696c5' Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Expected Remote Options hash (VER=V4): '13a273ba' Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS: Initial packet from [AF_INET]79.79.79.13:52015, sid=1f1bca19 a8c61716 Mon Aug 1 16:30:40 2016 79.79.79.13:52015 CRL CHECK OK: /C=RU/ST=77/L=Moscow/O=COMPANY/CN=COMPANY_CA/emailAddress=it@COMPANY.ru Mon Aug 1 16:30:40 2016 79.79.79.13:52015 VERIFY OK: depth=1, /C=RU/ST=77/L=Moscow/O=COMPANY/CN=COMPANY_CA/emailAddress=it@COMPANY.ru Mon Aug 1 16:30:40 2016 79.79.79.13:52015 CRL CHECK FAILED: /C=RU/ST=77/L=Moscow/O=COMPANY/CN=vpn-mks/emailAddress=it@COMPANY.ru is REVOKED Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS Error: TLS object -> incoming plaintext read error Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS Error: TLS handshake failed Mon Aug 1 16:30:40 2016 79.79.79.13:52015 SIGUSR1[soft,tls-error] received, client-instance restarting

On the client side (Windows 7) logs:

Mon Aug 01 17:31:33 2016 OpenVPN 2.3.11 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016 Mon Aug 01 17:31:33 2016 Windows version 6.1 (Windows 7) 32bit Mon Aug 01 17:31:33 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09 Enter Management Password: Mon Aug 01 17:31:33 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Mon Aug 01 17:31:33 2016 Need hold release from management interface, waiting... Mon Aug 01 17:31:34 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'state on' Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'log all on' Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'hold off' Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'hold release' Mon Aug 01 17:31:34 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Mon Aug 01 17:31:34 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Aug 01 17:31:34 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Aug 01 17:31:34 2016 Socket Buffers: R=[8192->8192] S=[8192->8192] Mon Aug 01 17:31:34 2016 MANAGEMENT: >STATE:1470058294,RESOLVE,,, Mon Aug 01 17:31:34 2016 UDPv4 link local: [undef] Mon Aug 01 17:31:34 2016 UDPv4 link remote: [AF_INET]79.1.1.1:1194 Mon Aug 01 17:31:34 2016 MANAGEMENT: >STATE:1470058294,WAIT,,, Mon Aug 01 17:31:34 2016 MANAGEMENT: >STATE:1470058294,AUTH,,, Mon Aug 01 17:31:34 2016 TLS: Initial packet from [AF_INET]79.1.1.1:1194, sid=d57d0f42 29d70bb7 Mon Aug 01 17:31:34 2016 VERIFY OK: depth=1, C=RU, ST=77, L=Moscow, O=COMPANY, CN=COMPANY CA, emailAddress=it@COMPANY.ru Mon Aug 01 17:31:34 2016 VERIFY OK: nsCertType=SERVER Mon Aug 01 17:31:34 2016 VERIFY OK: depth=0, C=RU, ST=77, L=Moscow, O=COMPANY, CN=server, emailAddress=it@COMPANY.ru Mon Aug 01 17:32:34 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Aug 01 17:32:34 2016 TLS Error: TLS handshake failed Mon Aug 01 17:32:34 2016 SIGUSR1[soft,tls-error] received, process restarting Mon Aug 01 17:32:34 2016 MANAGEMENT: >STATE:1470058354,RECONNECTING,tls-error,, Mon Aug 01 17:32:34 2016 Restart pause, 2 second(s)

What could be the problem?

  • one
    serverfault.com/q/400887/292034 - aleksandr barakin
  • @alexanderbarakin thanks. It worked. - 1d0
  • 1d0, please write the answer. that the information was useful to someone else. or delete the question. - aleksandr barakin
  • @alexanderbarakin Of course, already wrote. - 1d0

1 answer 1

I'll do a How-to in Russian after all.

In general, this practice, as I understand it, is not quite correct. 99.9% need to reissue keys. But if there are any problems with re-issuing the keys, it can be done as follows.

1) The folder with certificates (for example: /etc/openvpn/easy-rsa/keys/ ) must contain the index.txt file, which stores the list of certificates. Based on this file, a CRL (certificate revocation list) is generated.

2) In this file, you need to find a line with the required certificate that should be restored.

In the first column, revoked certificates have status - R , valid certificates have V. Correspondingly, we change this status to V from the revoked certificate and delete the third column of the form 160510070838Z (this is the date of certificate revocation).

3) Now we need to regenerate the CRL based on our new index.txt file.

CRL regeneration script created from revoke-full script

 #!/bin/bash #regenerate CRL, CRL="crl.pem" RT="revoke-test.pem" if [ "$KEY_DIR" ]; then cd "$KEY_DIR" rm -f "$RT" # set defaults export KEY_CN="" export KEY_OU="" export KEY_NAME="" # generate a new CRL -- try to be compatible with # intermediate PKIs $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" if [ -e export-ca.crt ]; then cat export-ca.crt "$CRL" >"$RT" else cat ca.crt "$CRL" >"$RT" fi else echo 'Please source the vars script first (ie "source ./vars")' echo 'Make sure you have edited it to reflect your configuration.' fi

Save this script (for example, ./crl-regen).

4) Load the variables

 root@server:/etc/openvpn/easy-rsa# . ./vars

5) Run this script.

 root@server:/etc/openvpn/easy-rsa#sh crl-regen

Done!