VPN Issue for users created before certificate re-generation

Last week, testing my RoadWarrior VPN setup I came across some certificate errors. Looking back through the various timestamps I can see what the issue is. But, I’m not sure if this is a bug or just the way it works, so I’ll leave it to the more knowledgeable to decide.

Basically, the VPN server would not validate the client certificate presented. This was because the main server certificate was regenerated after creating the VPN user. The timeline, from memory and timestamps was this (I think)

  • Install NS which generates initial server certificate
  • Create VPN user, which generates client certificate
  • Update Server Certificate to update location information
  • Export VPN bundle

The issue being now, that the client certificate in the bundle is the one signed by the original NS install certificate, not the one generated when it was updated to correct the location information. Result is that the client using the exported certificate cannot connect.

Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS: Initial packet from [AF_INET]192.168.0.42:49971 (via [AF_INET]192.168.0.254%eth1), sid=d5b6058f 48171534
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=--, ST=SomeState, L=Hometown, O=Example Org, OU=Main, CN=eddie, emailAddress=admin@nethserver.bogolinux.net
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS Error: TLS object -> incoming plaintext read error
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS Error: TLS handshake failed
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 SIGUSR1[soft,tls-error] received, client-instance restarting

Creating a new VPN user and exporting it’s bundle connects correctly.

Also, as I side issue, the following message is output because the CRL is never updated.

Tue Dec 29 11:06:37 2015 166.176.56.221:64978 CRL: CRL /var/lib/nethserver/certs/crl.pem is from a different issuer than the issuer of certificate C=–, ST=Some State, L=Los Angeles, O=BogoLinux Net, OU=SomeDepartment, CN=testvpn, emailAddress=admin@NethServer.BogoLinux.net

Cheers.

Check this path /var/lib/nethserver/certs
every user has his own bundle and it isn’t updated after the certificate update, as you said it works only for a new user.
Well, to be honest, I have no idea if it’s a bug or just a bad behaviour.

@EddieA lets check this issue :

write down STR of the issue and i’l try to check on fresh installation, or QA team can help

@alefattorini
Yeah, it was by checking the dates of the various files that I was able to backtrack the sequence of what happened as I started to build the server and then put off replacing Zentyal until I had some time on my hands:

[root@NethServer ~]# ls -lrt /var/lib/nethserver/certs/
total 88
-rw-r--r--. 1 root   root    3 Jul 17 16:45 crlnumber.old
-rw-r--r--. 1 root   root  245 Jul 17 16:45 dh1024.pem
-rw-r--r--. 1 root   root    3 Jul 17 16:45 crlnumber
-rw-r--r--. 1 root   root  735 Jul 17 16:45 crl.pem
-rw-r-----. 1 root   adm  1704 Jul 18 15:20 eddie.key
-rw-r--r--. 1 root   root 1070 Jul 18 15:20 eddie.csr
-rw-r--r--. 1 root   root    3 Jul 18 15:20 serial.old
-rw-r--r--. 1 root   root 1541 Jul 18 15:20 eddie.crt
-rw-r--r--. 1 root   root  133 Jul 18 15:20 certindex.old
-rw-r--r--. 1 root   root   21 Jul 18 15:20 certindex.attr.old
-rw-r--r--. 1 root   root 1541 Jul 18 15:20 01.pem
-rw-r--r--. 1 root   root 3832 Jul 18 15:20 eddie.p12
drwxr-----. 2 srvmgr adm  4096 Sep 29 06:40 clients
-rw-r--r--. 1 root   root 1559 Sep 29 06:40 ca.cnf
-rw-r-----. 1 root   adm  1708 Dec 26 15:40 testvpn.key
-rw-r--r--. 1 root   root 1094 Dec 26 15:40 testvpn.csr
-rw-r--r--. 1 root   root 1619 Dec 26 15:40 testvpn.crt
-rw-r--r--. 1 root   root    3 Dec 26 15:40 serial
-rw-r--r--. 1 root   root   21 Dec 26 15:40 certindex.attr
-rw-r--r--. 1 root   root  283 Dec 26 15:40 certindex
-rw-r--r--. 1 root   root 1619 Dec 26 15:40 02.pem
-rw-r--r--. 1 root   root 3980 Dec 26 15:40 testvpn.p12
[root@NethServer ~]# ls -lrt /etc/pki/tls/certs
 total 1932
-rw-r--r--. 1 root root 1066943 Apr 23  2015 ca-bundle.trust.crt
-rw-r--r--. 1 root root  877042 Apr 23  2015 ca-bundle.crt
-rw-r--r--. 1 root root    1574 Jul 18 20:20 NSRV.crt
-rw-------. 1 root root    1575 Jul 18 20:20 localhost.crt
-rw-------. 1 root root    1575 Jul 18 20:20 httpd-admin.crt
-rw-r-----. 1 root ldap    3283 Jul 18 20:20 slapd.pem
-rwxr-xr-x. 1 root root     829 Dec 13 21:16 renew-dummy-cert
-rw-r--r--. 1 root root    2242 Dec 13 21:16 Makefile
-rwxr-xr-x. 1 root root     610 Dec 13 21:16 make-dummy-cert
[root@NethServer ~]# ls -lrt /etc/pki/tls/private/
total 12
-rw-------. 1 root root 1708 Jul 17 16:20 NSRV.key
-rw-------. 1 root root 1708 Jul 17 16:20 httpd-admin.key
-rw-------. 1 root root 1708 Jul 17 16:45 localhost.key
[root@NethServer ~]#

Jul 17 was probably the date that I built the server and you can see that some of the files are still from that date.

eddie is the VPN user that I originally created on Jul 18. Subsequently, the main certificate was re-generated some 5 hours later on the same day. This is the user that raised the errors shown in the original post, even after re-exporting the key bundles.

testvpn is the VPN user I created to confirm what I thought the issue was, and is the one I’m using currently to connect.

I’ll leave it to the developers are to how they classify this. :sunglasses:

@Nas
STR ?? I’m not sure what you’re requesting.

Cheers.

@EddieA to be on the same page, you have created VPN User before you create OpenVPN server ?

I honestly couldn’t say. I would imagine that I did set the VPN first, but who knows. I wouldn’t have thought that would have been an issue as neither piece actually refers to the other.

One other thing is that user eddie is a system user. testvpn was only a vpn user. But again, I’m not sure that makes any difference here.

Cheers.

Vpn USER should be created instead of system users like admin root and so on.

On my test OpenVPn server I cannot reproduce with existed server cert, I need to try it on fresh installation.

That’s the issue. It’s NOT an existing server cert any more.

  1. Create a user for VPN (system or VPN)
  2. Update the Server Certificate
  3. Export the user bundle
  4. Try and connect from that user

Cheers.

@davidep @giacomo @filippo_carletti @davide_marini @nrauso what do you think?
should we re-generate all personal old certs after Update the Server Certificate?

We can re-generate alla VPN certs, but this will not resolve the problem: the user will always need to download again a new configuration.

But, if anyone agree on this, we can implement this workaround.

Of course, that’s mandatory but without re-generation download bundle will continue to not working correctly for old users.
Do you agree?

Partially: you need to regenerate the bundle only if users are using certificate authentication.

By the way, I think it’s a good improvement :slight_smile: But as always: more code = more bugs :smiley:

We can also tag it like a Known issue for now

@giacomo maybe it is more elegant to generate one server cert while first install and than use it and after that generate only user certs without regenerating server cert

2 Likes

yeah i have same problem …i have created vpn user well after that when connecting to VPN it asks for Authorization :- certification ! what i suppose to put there???

can you help me making a VPN connection with certification … like in above pic. i have done that part but when i click on client it asks for Authorization: certification .what do i put there.

Did you change the certificate after user creation?