OpenVPN revoked certifcates can still connect

Question

Dear StackExchange community,

I have an OpenVPN 2.3.10 sever runnig with ubuntu 16.04 with multiple clients (~ 80) installed with the Digital Ocean tutorial . When I revoke a certificate it can still connect like before....

My server config :

port 1197
proto udp
dev tun3

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
topology subnet
server XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
local XXX.XXX.XXX.XXX

ifconfig-pool-persist ipp.txt

client-config-dir ccd
keepalive 10 120

tls-auth ta.key 0 
key-direction 0

cipher AES-128-CBC
auth SHA256

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status-version 2
status openvpn-status4.log

log-append  openvpn.server4.log

verb 3

management 127.0.0.1 5558

crl-verify crl/crl.pem

For certificate management i use easy-rsa.

cd ~/openvpn-ca

source vars

To create a certificate : ./build-key cert_name

To revoke certificate : ./revoke-full cert_name then i copy the crl.pem file in the keys dir in /etc/openvpn/crl directory and I change ownership sudo chown nobody:nogroup /etc/openvpn/crl/crl.pem

The relevent server log:

TLS: Initial packet from [AF_INET]XXX.XXX.XXX:60341, sid=4af4c75c e17bc520
CRL: CRL crl/crl.pem is from a different issuer than the issuer of certificate C=FR, ST=company_name, L=company_name, O=company_name, OU=company_name, CN=company_name, name=server, emailAddress=admin@company.com
VERIFY OK: depth=1, C=FR, ST=company_name, L=company_name, O=company_name, OU=company_name, CN=company_name, name=server, emailAddress=admin@company.com
CRL: CRL crl/crl.pem is from a different issuer than the issuer of certificate C=FR, ST=company_name, L=company_name, O=company_name, OU=company_name, CN=client_name, name=server, emailAddress=admin@company.com
VERIFY OK: depth=0, C=FR, ST=company_name, L=company_name, O=company_name, OU=company_name, CN=client_name, name=server, emailAddress=admin@company.com

If i do ./list-crl i can see that my certifcate is indeed revoked :

Certificate Revocation List (CRL):
        Version 1 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=FR/ST=company_name/L=company_name/O=company_name/OU=company_name/CN=test2/name=server/emailAddress=admin@company.com
        Last Update: Jun 10 09:03:59 2020 GMT
        Next Update: Jun  8 09:03:59 2030 GMT
Revoked Certificates:
    Serial Number: 02
        Revocation Date: Feb 13 15:48:55 2018 GMT
    Serial Number: 03
        Revocation Date: Feb 13 15:50:38 2018 GMT
    Serial Number: 04
        Revocation Date: Feb 13 15:58:06 2018 GMT
    Serial Number: 05
        Revocation Date: Feb 13 16:59:54 2018 GMT
    Serial Number: 06
        Revocation Date: Feb 13 17:00:01 2018 GMT
    Serial Number: 07
        Revocation Date: Feb 13 17:06:43 2018 GMT
    Serial Number: 28
        Revocation Date: Jul  9 13:24:14 2018 GMT
    Serial Number: 29
        Revocation Date: Jul  9 13:24:30 2018 GMT
    Serial Number: 32
        Revocation Date: Jun  9 07:25:35 2020 GMT
    Serial Number: 58
        Revocation Date: Jun  9 07:26:01 2020 GMT
    Serial Number: 59
        Revocation Date: Jun  9 07:26:19 2020 GMT
    Serial Number: 9B
        Revocation Date: Jun  9 15:13:52 2020 GMT
    Serial Number: 9C
        Revocation Date: Jun  9 14:47:36 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         XXXXX

I can see one stange thing : CN=test2 in the Issuer: block but i can't find where that comes from.

This situations is a bit confusing, for now i manage to block the client by iptables thus it can connect to VPN but cannot access anything, but i'd rather solve that revocation issue.

Have you any idea ?

Thank you.

Answer 1

In my case, I have configured the OpenVPN server on ubuntu 20.04. Finally, I was able to disable the user with the below steps.

I have two servers for OpenVPN, one is for OpenVPN, and the second one is for CA configurations.

Login into the 2nd server(CA) and revoke the certificate with the ./easyrsa revoke client_name command. Give confirmation with yes and provide if you have a cert password.

Generate a new CRL(Certificate Revocation List) with the ./easyrsa gen-crl command. Copy the generated crl.pem to OpenVPN servers tmp directory with scp command.

scp ~/easy-rsa/pki/crl.pem username@your_server_ip:/tmp

Once you have revoked a certificate for a client, move the pem file to your OpenVPN server in the /etc/openvpn/server directory on the 2nd server(openVPN server).

sudo cp /tmp/crl.pem /etc/openvpn/server/

Open the OpenVPN server configuration file sudo vi /etc/openvpn/server/server.conf and add the below line at the bottom of the file.

crl-verify crl.pem

Save and close the file and restart the OpenVPN service to implement the certificate revocation.

sudo systemctl restart openvpn-server@server.service

Thanks :)

Answer 2

Openvpn is usually configured to be run via the user nobody , So Please make sure that the directory where crl.pem file is placed is accessible by the user nobody(/etc/openvpn/crl) and also the file crl.pem too is readable by the user nobody . I personally would suggest the crl.pem file to be placed inside /etc/openvpn .

Answer 3

You can use the below command to revoke

cd ~/openvpn-ca
source vars
./revoke-full user1
./revoke-full user2

sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn

sudo service openvpn restart

Answer 4

Interestingly, the official documentation says that you do not need to restart the service after the crl.pem file has changed, but it also works for me only when the service is restarted.

CRL Notes

When the crl-verify option is used in OpenVPN, the CRL file will be re-read any time a new client connects or an existing client renegotiates the SSL/TLS connection (by default once per hour). This means that you can update the CRL file while the OpenVPN server daemon is running, and have the new CRL take effect immediately for newly connecting clients.