Page MenuHomeVyOS Platform
Create Task
Maniphest T6241

Updating CRL in "pki" config does not update OpenVPN
Needs testing, NormalPublicBUG
Actions

Description

Example Configuration (relevant sections):

 interfaces {
     openvpn vtun0 {
         description OpenVPN
         local-port 1194
         mode server
         persistent-tunnel
         protocol udp
         server {
             name-server 10.23.55.1
             subnet 10.23.59.0/24
         }
         tls {
             ca-certificate my-internal-ca
             certificate router-1.internal
             dh-params openvpn_vtun0
         }
     }
 }
...
 pki {
     ca my-internal-ca {
         certificate MIIFhjCCA26gAwIBAgIJAIr2hnzHNbu3MA0GCSqGSIb3DQEBCwUAMDExLzAtBgNVBAMMJkx1Y2FzZWMgVGVjaG5vbG9naWVzIEluZnJhc3RydWN0dXJlIENBMB4XDTE3MDkyNDIxNTk1MVoXDTI3MDkyMjIxNTk1MVowMTEvMC0GA1UEAwwmTHVjYXNlYyBUZWNobm9sb2dpZXMgSW5mcmFzdHJ1Y3R1cmUgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDT6KqIi/dcpN8BaV3GFjy3ch2fscPo6QLkDEeg/dNuJqxCaR3qzXyi1U8VD39L1qYYM4fe9akglwoSX3bAPMtCcCY10eHk1skEixzAW6Dsps9QksnkRlU4m9gBOhwD+IM2oExG1Y7KC8Gs+/pmvyQLfaJ9v+SvXWZZONU1ZCY4RTJJDXLpZrpcA5B2mWImpV+/7enRe0cGuTtcplbYqDCMevlfDg0cvaUyJe1rht/oh7Mxb9heiICigUn+aFWazGvEz8JufEwKA7wkaNZ0XgpAi7BwXxlm8U7MdbHle+ytw5z71cA8tGR1p5XsSMp6c3Bvb+lLvwyDFhxFdVkneDYsGEyP+JKx325CF6RRk5TAB4DclLIgg37Sxf8ni5PLtMmAQ30u21dDF0ARJ2YyOOC8kr94o3wleIp1697q1/c/IPlC0sTgn79Zu3I730+1HH+6RFycCBnMaXU34KX40lxB8M5iUbdlC2vL95eLCeVQCsGTqfF0HyxBUi24IGXMPYwJgPrdpjycQL20IznZ2T+AxVPeqCENTFQ//Ce1AjJFxolnHYLVoOb5mWOfx4vKpvsj3e3MhkZhwExVZfgzD01sb3WSuZS18bR/GlfQ/iuQOv7J42Skx+tOoiYKdmlPRBuj8Gb0r8qQQW85Tz3T3Bd6mY3so1Ipp592a7SjyjWU/wIDAQABo4GgMIGdMB0GA1UdDgQWBBRFIuwrlJJAVl0Ko9Y/+jqOLGkpwDBhBgNVHSMEWjBYgBRFIuwrlJJAVl0Ko9Y/+jqOLGkpwKE1pDMwMTEvMC0GA1UEAwwmTHVjYXNlYyBUZWNobm9sb2dpZXMgSW5mcmFzdHJ1Y3R1cmUgQ0GCCQCK9oZ8xzW7tzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAw2I0sHpG7m5xV5/almHzr0IG93eQZfZxPK/PwcZe4d2GvcDau10EiWCXAd7yo6j8WDSiFAoeVKhV6kQVr0fvKRfZ1VHpuN7Aof0fha6hbRkFyDuwV5zHEt7Bhv80tcUKFZiNAWDZu0NSFtOmiN/sS/8xOyYcbVzAqaYeVhO/CYZcxxwyEU8nfAefRuwggngtR3hg0DIOR5hEvoeUIdRAQhPuKDxYgdCRlFt6hcdqjT3X8dZrqYhReN45ELHW5xlgq/GWwHcW8fhGnCnVCVFh9i1Xj5FSNs8upq4NTnejsOE4wfNj4xCe9yemJla5qp2k3iyMVYyPOmKeEKh3s3Toh+Le3bzqOm/fVdsz7LxCN3cP1qQvHL05f+hWiOKvbobVm43JfSC6Ue81uZcL3qfPQ82oKb4S/PvqIVECZHSd/XoXgLT884nSCunXr+6mPDraz4rHPpP83VnpAWkwAURj4xgEMVIfvV+z4yMVrxA2+YpQlBT78pe5USKQNtWeiR50ZTU0i0wOu6ea/6YvE5hoPdi5UUVUHzSWGyIlNK7DS0pF+1twcJbKkwngKIeh4DYjPb3sVrwGupAzUgqmUoE2noo4JQTvOG8nA8bpIEbV+5bsT3uHq8liGi/QGIApccFCS6eoAME/jzCYD1W1jWnOqnBUuBlykB59PKxxdmeMGoQ=
         crl MIIDTjCCATYCAQEwDQYJKoZIhvcNAQELBQAwMTEvMC0GA1UEAwwmTHVjYXNlYyBUZWNobm9sb2dpZXMgSW5mcmFzdHJ1Y3R1cmUgQ0EXDTIzMTEwNDE1MjIxMFoXDTI0MDUwMjE1MjIxMFowajAhAhBEyIqB080fgFXD8AxAr+6OFw0yMTA5MjYwNTQ5MTVaMCECEG8JeYG6bKyGEJuRwrrwTB0XDTIxMDIwMTAwNDgxNlowIgIRAJdfzyw464QbiIADIjoyB0QXDTIxMDkyNTIwMTQ0OVqgZTBjMGEGA1UdIwRaMFiAFEUi7CuUkkBWXQqj1j/6Oo4saSnAoTWkMzAxMS8wLQYDVQQDDCZMdWNhc2VjIFRlY2hub2xvZ2llcyBJbmZyYXN0cnVjdHVyZSBDQYIJAIr2hnzHNbu3MA0GCSqGSIb3DQEBCwUAA4ICAQBTHXYSqYje/AGkjxItQ63rfBAFvVoiJFcdmF/xi1mCseQRnsSyfCsF/KIr5rjEXP4i+AEX/IHwfmUGFhNsDZlNgn/D82hm/KQ0IDDmG/y2rpr6YzVST57nWD2ijkFmzasmS/5HYvbJzancnZ+QXl6etmDjzd6n2qZwGwx1/jF6hC3LAsSGKq/5xb5v44Q3qBLKuakxALsYlAMORGv6GJfKg/VkttknqiV0DIyoK8QwzwpXSPK+O9rvW8BTWsvSjNyHJl2lDcGV+trbqaS1rCgJLzUhE2PklTKC4cKsCI2VNof8xPMR7Ypr0z29UmVs4BsbRoCS/yNx7Q3DOVFpGqHdUem44NICSWVDkZ/DI9Btj/7+L2Hol22H5BvmlAu1WLEH8C+cm1cYRwJEa41Z+m26moHCsOXsxHDuW56D74FjplDifjnPulXylt16aKvKgHkRonGN7HH5rF1Q0uwulZRrq1MtX876BsHtv36ZjLYG2bEdbdnXPviroumguo861CLb43MLwFf9JLkbLm6HlAjQEkqLZu9Dw+Jq71ktf1YhqR/JEh+R0ciKhhZncUFkwKOWD14iJBlhW9eK0v0jnNh2uUHOh1CYTbMbJRXFHZp+/R6Eaowtc65ySHhv4yltNNPBIm/TGR5mqE1H+b+Nr7PpNXrto2BNrdUfGmEjW1gxgg==
     }
     certificate router-1.internal {
         certificate MIIFszCCA5ugAwIBAgIRAIbqEtrC+KSyXmT...
         private {
             key <redacted>
         }
     }
     dh openvpn_vtun0 {
         parameters MIIBCAKCAQEA4n4nJCDrUttGvZ6PHhWS...
     }
 }

Before changing the config I checked the old CRL file rendered on disk for OpenVPN:

$ sudo openssl crl -in /run/openvpn/vtun0_crl.pem -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = My Network Infrastructure CA
        Last Update: Nov  4 15:22:10 2023 GMT
        Next Update: May  2 15:22:10 2024 GMT
...

Update the CRL:

# delete pki ca my-internal-ca crl
# set pki ca my-internal-ca crl "MIIDTjCCATYCAQEwDQYJKoZIhvcNAQELBQAwMTEvMC0GA1UEAwwmTHVjYXNlYyBUZWNobm9sb2dpZXMgSW5mcmFzdHJ1Y3R1cmUgQ0EXDTI0MDQxNDE5MDQxOFoXDTI0MTAxMTE5MDQxOFowajAhAhBEyIqB080fgFXD8AxAr+6OFw0yMTA5MjYwNTQ5MTVaMCECEG8JeYG6bKyGEJuRwrrwTB0XDTIxMDIwMTAwNDgxNlowIgIRAJdfzyw464QbiIADIjoyB0QXDTIxMDkyNTIwMTQ0OVqgZTBjMGEGA1UdIwRaMFiAFEUi7CuUkkBWXQqj1j/6Oo4saSnAoTWkMzAxMS8wLQYDVQQDDCZMdWNhc2VjIFRlY2hub2xvZ2llcyBJbmZyYXN0cnVjdHVyZSBDQYIJAIr2hnzHNbu3MA0GCSqGSIb3DQEBCwUAA4ICAQC/CPU4ZmLPk+rERAuh7j4FzuERuiS3m0Luj76J1uR7i+T6VBNy62SqMqrhVjfLThrDHVee0j1RtVQJQwHFuz6wPHx9nv+Vp7v7PERvjvgqVOjbnBBT72HSEbSUqdKj/h24XRtERXBk8mEyilhDqRQMjdTYm+l/47T2zV9D5c2xPU5abAcSpbkaJnOHxMDqjj/FPRaiUQCupE1GXf2n9w2UowieKADQJGMZegb1XT+UlI8CCFq4mW7O3brPQhVLbIf20X+aoJZEqwf1Q5eFyqHlFbjqXXVdlfEdd7bh/Pmy/USEeZwx8wPe7CQkr7n2jUNVN8a/rxlNR+N/tT7yd26HMgJAc2OwnKwKluq7KV5CnQZ1RcC2n0UtMITLZuPocuf7slm/sqZ4kDqmw05YtOmXhTIO660Vvpx1FnmRFgQl5Nq0VpjzxNaE0vPfp5gzGUmi1yr2vcTqRjHNwWKWRL3HHfx5M151p9qhvDkRYsJzj/5deF/3Z7uj9TJIsXAtEW3rO4qNfSUFfLyhKDwyJ1n8RDjJJ4adjXUVQAMRjkHL+c3sBrGrfLl6SqyQqmV/iEkxFCD/zhk+pJJyzXgGN9UbfJZviydk//8TTAFq5T1FmoPZXcSqJ4bgFnmdsBMFgvUgBmKhGUoPMaURmeCYlGVSy/PxVWOXFVvBcYckn62i9g=="
# commit

After commit, check the CRL file rendered on disk for OpenVPN:

$ sudo openssl crl -in /run/openvpn/vtun0_crl.pem -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = My Network Infrastructure CA
        Last Update: Nov  4 15:22:10 2023 GMT
        Next Update: May  2 15:22:10 2024 GMT
...

The file is still the same as the old CRL. Only by rebooting the router or disabling/re-enabling the OpenVPN interface could I get the file to re-render and show the updated CRL:

$ sudo openssl crl -in /run/openvpn/vtun0_crl.pem -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Lucasec Technologies Infrastructure CA
        Last Update: Apr 14 19:04:18 2024 GMT
        Next Update: Oct 11 19:04:18 2024 GMT
...

Details

Difficulty level
Unknown (require assessment)
Version
Fork of 1.5-rolling-202403100025
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

lucasec created this task.Sun, Apr 14, 11:55 PM
Viacheslav added a subscriber: Viacheslav.Mon, Apr 15, 7:33 AM

The same task https://vyos.dev/T3861

lucasec added a comment.Mon, Apr 15, 7:41 AM

I even commented on that issue…
It would seem my memory ages out after 3 years 🤣

From discussion on Slack it sounded like there may have been some code added targeting T3861. But clearly it did not solve it. I assume we can close this as duplicate.

pasik added a subscriber: pasik.Mon, Apr 15, 7:41 AM
sarthurdev changed the task status from Open to Needs testing.Mon, Apr 15, 2:42 PM
sarthurdev claimed this task.
sarthurdev added projects: VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.0-epa3).
sarthurdev added a subscriber: sarthurdev.

PR: https://github.com/vyos/vyos-1x/pull/3311

Viacheslav triaged this task as Normal priority.Mon, Apr 22, 9:05 AM
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-epa3) board.Thu, Apr 25, 2:46 PM
sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.5 Circinus board.