为什么在撤销OpenVPN后重新签发EasyRSA 3证书失败?

问题描述 投票:0回答:1

问题

我在Ubuntu 18.04上使用EasyRSA 3运行OpenVPN 2.4.4服务器。有时,服务器IP会更改,我需要将client.ovpn文件重新部署到客户端以反映该更改。过去,在Ubuntu 16.04上,我使用EasyRSA 2撤销证书,然后重新颁发证书和client.ovpn文件没有问题。

现在,在我撤销之后,我无法重新向客户发布,因为OpenVPN未能通过TLS握手。我的解决方法是完全重建CA并重新初始化OpenVPN服务器。我希望优先针对个别客户,而不是立即“射击”所有客户。

好的,这里有一些细节:

如果有帮助,我可以提供日志,配置文件等。让我知道您需要帮助解决的问题。

  • 我仅使用VM来构建客户端/服务器证书和辅助文件。当我完成颁发证书时,我可以关闭VM以避免外部入侵。
  • 我使用Digital Ocean上的说明作为指导。在同一台机器(与OpenVPN服务器机器分开)上有CA和请求程序PKI应该不是问题。
  • 我在该VM上创建了两个PKI层次结构:一个是CA,另一个是专门用于创建证书请求和发布client.ovpn文件。这两个层次结构完全独立。
  • 我可以成功创建所有必需的工件并与OpenVPN建立连接。
  • 我可以成功撤销客户端,因此无法连接到OpenVPN服务器。
  • 我使用easyrsa脚本来'update-db'和'create-crl'。
  • 我将crl.pem部署到OpenVPN服务器,并在每次更新或撤销时重新启动。

这是CRL和文本数据库内容:

  • 初始化服务器
$> cat auth/pki/index.txt
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=domain
        Last Update: Nov 12 18:28:17 2018 GMT
        Next Update: Nov  9 18:28:17 2028 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                DirName:/CN=domain
                serial:A0:23:32:51:DD:EF:C4:98

No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
         76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
         e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
         99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
         70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
         ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
         a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
         5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
         42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
         5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
         80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
         7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
         e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
         d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
         04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
         a3:95:41:69
  • 在为2个客户发出配置后:
$> cat auth/pki/index.txt
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
V 281109182955Z       B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
V 281109183009Z       2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=domain
        Last Update: Nov 12 18:30:10 2018 GMT
        Next Update: Nov  9 18:30:10 2028 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                DirName:/CN=domain
                serial:A0:23:32:51:DD:EF:C4:98

No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
         06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
         a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
         31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
         94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
         37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
         e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
         55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
         42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
         8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
         e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
         1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
         22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
         7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
         e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
         4e:77:fc:19
  • 撤销2个客户的配置后:
$> cat auth/pki/index.txt
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=domain
        Last Update: Nov 12 18:30:27 2018 GMT
        Next Update: Nov  9 18:30:27 2028 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                DirName:/CN=domain
                serial:A0:23:32:51:DD:EF:C4:98

Revoked Certificates:
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
        Revocation Date: Nov 12 18:30:27 2018 GMT
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
        Revocation Date: Nov 12 18:30:24 2018 GMT
    Signature Algorithm: sha256WithRSAEncryption
         70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
         95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
         eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
         77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
         eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
         a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
         1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
         50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
         22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
         98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
         25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
         a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
         12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
         88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
         8e:64:6a:57
  • 重新发布2个客户的配置后:
$> cat auth/pki/index.txt
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
V 281109183048Z       C195D111FDC160DBFABD37A74C7DA816    unknown /CN=client1
V 281109183057Z       45AFBA1724B26E1B127091B9EC5E782B    unknown /CN=client2
$> openssl crl -in auth/pki/crl.pem -text -noout"
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=domain
        Last Update: Nov 12 18:30:57 2018 GMT
        Next Update: Nov  9 18:30:57 2028 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
                DirName:/CN=domain
                serial:A0:23:32:51:DD:EF:C4:98

Revoked Certificates:
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
        Revocation Date: Nov 12 18:30:27 2018 GMT
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
        Revocation Date: Nov 12 18:30:24 2018 GMT
    Signature Algorithm: sha256WithRSAEncryption
         73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
         b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
         25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
         f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
         1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
         d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
         8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
         e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
         bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
         43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
         d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
         2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
         8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
         ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
         1c:d2:2a:ec

意见

  • 这看起来像是EasyRSA或OpenVPN中的错误。显然,DB(index.txt)表示撤销后的新证书具有不同的序列号。我在这里错过了什么吗?
openvpn
1个回答
-1
投票

事实证明,答案是简单地更改.ovpn配置文件中的IP地址而不发布新证书。

但是,在撤销同一客户端之后仍然无法颁发新证书。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.