| View previous topic :: View next topic |
| Author |
Message |
rob_zero
Joined: 02 Jul 2009
Posts: 1
|
 Posted: Thu Jul 02, 2009 7:59 am Post subject: huge problems with revokation of certs |
 |
|
Hi there,
This is my very first time dropping some lines in this forum, so I really hope anyone can help me on this:
When I revoke an user's certificate by Users > X509 > revoke Certificate in order to NOT allow him VPN connection anymore, this same user still can connect by VPN, and supposely the certificate exists no more! Even if I delete that user from the Users List after revoking+delete his certificate, he still can connect!!! This is getting me crazy indeed... how is that possible?? Is there any way to delete a certificate by console or whatever? Looks like that certificate and user still exists somewhere in some database or record...
Please I need some help!!!
Thank you very much in advance!! |
|
| Back to top |
|
 |
misterplow
Joined: 22 Apr 2008
Posts: 20
|
| Posted: Tue Dec 22, 2009 5:27 am Post subject: |
|
|
The way that OpenVPN works is that each time you revoke a certificate it generates/updates a CRL (certificate revocation list) file, against which it checks incoming client connection requests. Even though you may revoke multiple client certificates, the CRL is just one key, against which multiple clients keys can generate a hit/match.
You can find the crl.pem file that ZS uses at the location of:
| Code: | | /Database/etc/ssl/crl.pem |
So, if you start the OpenVPN server process with the option of
| Code: | | --crl-verify /Database/etc/ssl/crl.pem |
It will then reject any certificates that you have revoked.
The BIG CATCH is that if you delete a user without first revoking the user's cert, that user/cert will still be able to connect (as you have noticed, which is probably not what you want).
In the case you forgot to revoke the cert before deleting the user, you'll have to have access to the cert and private key for the user you mistakenly deleted. If you don't have access to these two files then you're probably screwed 
Assuming you DO have the cert/private key of the deleted user, you need to go in and manually swap it in for the cert+key of the "tempuser"
- create a new user in the ZS gui (doesn't have to be the same as the original username)
- using an ssh session into your ZS box, do the following:
| Quote: | | root@zeroshell root> mv /Database/etc/ssl/certs/<tempuser>_user.pem /Database/etc/ssl/certs/<tempuser>_user.pem.orig;vi /Database/etc/ssl/certs/<tempuser>_user.pem |
(paste the <mistakenly_deleted_user>_user.pem certificate contents and save)
do the same for the key file located in /Database/etc/ssl/certs/<tempuser>_user.pem, this time pasting in the keyfile contents
now go back into the GUI and revoke the certificate for the <tempuser>. This revocation should trigger an automatic restart of the affected openvpn server process as long as you have started it with the --crl-verify option as listed above.
once this is done, you can delete the <tempuser>_user.pem files and then rename the <tempuser>_user.pem.orig back to the original <tempuser>_user.pem if you need to keep this temporary user and/or its information for some reason
Once again, just be aware that each time you revoke a certificate against an openvpn server instance where it's been started with the crl-verify option, you will reset that process and thus kick off all clients briefly. |
|
| Back to top |
|
|
joar
Joined: 21 Jun 2007
Posts: 16
|
| Posted: Tue Dec 22, 2009 9:16 am Post subject: Problem |
|
|
What if you demand both cert and user/passwd?
_________________
JH |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
Register
Usergroups
Profile
Log in
Private Message
