Revoking a client issues

[anasred]

Describe the issue 1- After using the script to revoke a client. He still able to use the OpenVpn server if he didn't disconnect from the server.

In server.conf I confirm that: crl-verify crl.pem is available

referring to this question on OpenVpn Forum: https://forums.openvpn.net/viewtopic.php?t=25160

2- Moreover, I noticed that when I revoked a client let say client1 and after that you tried to add a new client using the script with the same name i.e. client1, the script will show this message: The specified client CN was already found in easy-rsa, please choose another name.

So what should I do to guarantee that when the user revoked from the server he will be disconnected immediately from OpenVpn?

How can I delete any reference to client1 from easy-rsa, so I can add a new client with the same name of a revoked client?

• OS: Ubuntu 18.04
• Device: Macbook
• Client: Tunnelblick

[randshell]

The specified client CN was already found in easy-rsa, please choose another name.

I can't reproduce this and I've never seen it. Are you sure you are using the latest version of the script?

After using the script to revoke a client. He still able to use the OpenVpn server if he didn't disconnect from the server.

It will disconnect only when the session is renegotiated and this happens every hour. If you want to disconnect him after revocation you need to restart openvpn but this kills connection for every user.

Another option is https://serverfault.com/questions/900544/how-to-disconnect-a-single-client-connection-in-openvpn

[anasred]

thanks for your reply. Yes, I'm using the latest version.

to reproduce the error message, please follow these steps:

1- add client1 client using the script. 2- revoke client1 client using the script. 3- add a new client with the name of client1 again.

the error message will show up.

[TinCanTech]

Absolutely unique certificate names is down to EasyRSA.

Since EasyRSA v3.0.6 this was changed to allow certificate renewal.

So, with a new version of EasyRSA this would allow you to re-use a certificate name.

[angristan]

So, if I understand correctly there are two issues:

A revoked client that is connected will stay connected until it disconnects/reconnects

That sounds plausible, maybe we'd need to add a management port: https://serverfault.com/a/900562/405096 if that's not too much work.

Revoked client name can't be reused

I would expect that. I understand why it could be bothersome though.

[TinCanTech]

So, if I understand correctly there are two issues:

A revoked client that is connected will stay connected until it disconnects/reconnects

That sounds plausible, maybe we'd need to add a management port: https://serverfault.com/a/900562/405096 if that's not too much work.

A certificate revocation list is only read during initial connection phase, so a client would have to reconnect if it has been revoked in the mean time.

Or you can use the managment port as described above.

Revoked client name can't be reused

I would expect that. I understand why it could be bothersome though.

EasyRSA 306 and up now allows to re-use a certificate name, the term they use is renew.

[randshell]

A certificate revocation list is only read during initial connection phase, so a client would have to reconnect if it has been revoked in the mean time. Or you can use the managment port as described above.

Doesn't it happen on the usual renegotiation once an hour too? If this is the case I think a management port is too much for this job.

[TinCanTech]

A certificate revocation list is only read during initial connection phase, so a client would have to reconnect if it has been revoked in the mean time. Or you can use the managment port as described above.

Doesn't it happen on the usual renegotiation once an hour too? If this is the case I think a management port is too much for this job.

Having now tested this, I can confirm that a CRL check is done at renegotiation as well. (So my previous comment was incorrect)

[anasred]

I created this script and call it from revokeClient() function like so:

./kill_openvpn_client.sh COMMON-NMAE

and the content of kill_openvpn_client.sh:

#!/bin/sh
MANAGEMENT=$(cat /etc/openvpn/server.conf | grep "^management" | cut -d ' ' -f 2,3)
(
echo kill $1
sleep 1
echo exit
) | telnet $MANAGEMENT

And added this line to /etc/openvpn/server.conf:

management 127.0.0.1 1195

[randshell]

EasyRSA 306 and up now allows to re-use a certificate name, the term they use is renew.

@TinCanTech so how is it fixed on our side? I now have this CN name problem when I try to reproduce #676

[TinCanTech]

Updated:

---

@randomshell - Unique CNs is a function of the SSL lib, see index.txt.attr in the EasyRSA PKI folder. Before EasyRSA v306 this was set to make all CNs absolutely unique regardless of status. That has now changed so that EasyRSA can pretend to renew a certificate. Infact, what EasyRSA does is to revoke the old certificate and then make a new certificate with the same CN. Unfortunately, EasyRSA also has a strange bug in that it does not actually revoke the old certificate, thereby polluting the PKI with duplicate CNs. All I can suggest is to take this issue up with EasyRSA.

---

Update:

As of Easy-RSA v 3.1.7, all of the problems observed above have been resolved.

[randshell]

Thanks for your answer @TinCanTech.

I looked again at the code and it is an error on our side. @angristan committed 96e6ea71e9094c3b5bce52489e4f8262bb14b16c to fix issue #613. The problem is that the code he changed was added in #592 to make the script idempotent: it's not an easy-rsa error as the commit message says so it's unrelated to the linked issue.

I will revert his commit to keep the script idempotent and update the regex to match only valid certificates.

All I can suggest is to take this issue up with EasyRSA.

If I understood correctly it seems to be the issue https://github.com/OpenVPN/easy-rsa/issues/105

[TinCanTech]

If I understood correctly it seems to be the issue OpenVPN/easy-rsa#105

It is related, however, it is not the same issue. For whatever reason the owner has not acknowledge the actual bug.

[TinCanTech]

@randomshell - Unique CNs is a function of the SSL lib, see index.txt.attr in the EasyRSA PKI folder. Before EasyRSA v306 this was set to make all CNs absolutely unique regardless of status. That has now changed so that EasyRSA can pretend to renew a certificate. Infact, what EasyRSA does is to revoke the old certificate and then make a new certificate with the same CN. Unfortunately, EasyRSA also has a strange bug in that it does not actually revoke the old certificate, thereby polluting the PKI with duplicate CNs.

I struggled with this for a while during the development of Easy-TLS. However, after considering the work-flow, the reasoning behind this behaviour became obvious:

• EasyRSA does not revoke a renewed certificate because this allows the server admin a grace period to send the new certificate to the client. Once the client has the new cert then the old one can be revoked.

~The actual problem is that ./easyrsa revoke name does not currently work on renewed certificates.~

[kriball]

On line 1170, I added this code in new line. sed -i -e '/^[R]/d' /etc/openvpn/easy-rsa/pki/index.txt

So, it will become like this

        echo ""
        echo "Certificate for client $CLIENT revoked."
        sed -i -e '/^[R]/d' /etc/openvpn/easy-rsa/pki/index.txt
}

I just delete Revoked list from index.txt, and it's working, so I have no problem with same entity name after revoking.

[TinCanTech]

@kriball I hope you have a backup of index.txt

[kriball]

@kriball I hope you have a backup of index.txt

Always, backup is important before doing something. I did this because I don't have dedicated IP from my ISP for my house, so my custom config just for personal usage. Thank you for reminding

[josuah]

This is how openssl(1) checks for name clash:

static int index_name_qual(char **a)
{
        return (a[0][0] == 'V');
}

https://github.com/openssl/openssl/blob/master/apps/lib/apps.c#L1418-L1421

And it seems that, like @TinCanTech said, it is only checked that way if index.txt.attr has unique_subject set to yes:

    if (db->attributes.unique_subject
        && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
                                LHASH_HASH_FN(index_name),
                                LHASH_COMP_FN(index_name)))
        [...]

https://github.com/openssl/openssl/blob/master/apps/lib/apps.c#L1681-L1688

So at certificate creation time, it is only checking for duplicate against Valid state, ignoring Revoked ones.

Maybe like this instead of tail -n 2 since now we know a bit more about index.txt thanks to the discussion:

CLIENTEXISTS=$(grep -c -E -m 1 "^V.*/CN=$CLIENT\$" /etc/openvpn/easy-rsa/pki/index.txt)

The -m 1 is to get at most one match, to make sure that grep returns "1" or "0" and not "2" or more.

[josuah]

My bad, I just noticed #680, which will most likely fix this one.

[saeedvaziry]

Any fixes for this bug?

[0xtejas]

I tried just deleting the old file from the clients folder and then I generated the openvpn config with the same name This time it had no issue

Steps to reproduce Revoke the client file, delete the file from clients folder, regenerate

[igaresh]

Hi.

Is there an update for the issue?

On different servers this problem is exist. Using script few years but only now noted that sometimes revoked client still able to connect.

Looked into the openvpn/pki folde. There is no sign of the crt. Manually deleted CN, able to reproduce the CN with the same name. Now I have clients with same name one of which was revoked but still works and new with the same name.

I use the script in massive scale, few dozens clients on different servers and cannot imagine what could be a scale of the issue

Any suggestions?

[igaresh]

I tried just deleting the old file from the clients folder and then I generated the openvpn config with the same name This time it had no issue

You mean actual .ovpn file or .crt file?

[0xtejas]

I tried just deleting the old file from the clients folder and then I generated the openvpn config with the same name This time it had no issue

You mean actual .ovpn file or .crt file?

.ovpn file

[anasred]

once you deleted the .ovpn file the client (the user) remains using it because of caching as I recall. So try to restart the VPN server and he will be logged out automatically.

[igaresh]

once you deleted the .ovpn file the client (the user) remains using it because of caching as I recall. So try to restart the VPN server and he will be logged out automatically.

In routine yes it works like a charm. But issue is after: revoking -> restarting server = client still connects. Not all of them. Like last issue I had: revoked 2 clients, 1 stoped instantly, another still work. After restarting openvpn service, restarting VPS, removing from revoked folder still working. Moreover I able to create client with exact same name and both working.

.ovpn file

.ovpn file get deleted when revoking client, so I don't have them after that. May there other place where they stored?

[asebaresm]

I'm having the same issue as @igaresh . Right now, If I create a new client using the script and then revoke it, it works without issues. But if I try to revoke some old clients created months ago they are still able to connect. The issue seems very inconsistent and the client age is the only pattern I found.

What checks can we perform in our end to find the root of the issue?

[TinCanTech]

@asebaresm Make sure you create a new Certificate revocation list and over-write the old one. Then check your server log for problems.

[igaresh]

@asebaresm Make sure you create a new Certificate revocation list and over-write the old one. Then check your server log for problems.

After revocation completed, "An updated CRL has been created.". That means even tough file is created automatically, it has to be re-created?

[TinCanTech]

My mistake. I checked the source and a new CRL is generated and put in place when the client is revoked. However, still check your logs for errors.

[igaresh]

check your logs for errors.

I don't have any issues now, since I reinstall OpenVPN every time I face an issue. But during investigation there were no even a sign of issue in logs. Revoked CN was in CRL

[even0306]

Submitted pr #978, will fix the second issue when merged

[dudefoxlive]

Has this issue been fixed yet? Just installed a fresh Debian 11 VM and tested this and its still not patched.

[berni123]

This bug seems still active. Is there a way to completely remove the revoked cert from easy-rsa? After that the script might handle the client name as a new one ...

[TinCanTech]

Is there a way to completely remove the revoked cert from easy-rsa?

This is a misconception.

It is not possible to remove a certificate from your PKI (ie. EasyRSA). The certificate can only be revoked.

If index.txt is edited by any external factor then your PKI is corrupted.

@angristan will have to make a decision as to how to proceed.

[dudefoxlive]

This bug seems still active. Is there a way to completely remove the revoked cert from easy-rsa? After that the script might handle the client name as a new one ...

I ended up moving on from openvpn to easy-wg. I am still using openvpn in my setup but its more of a backup/failover.

[joelpramos]

Submitted pr #978, will fix the second issue when merged

a mix of this (which doesn't appear to be in the master) and

adding the upgrade ca after the revoke did the trick (https://github.com/OpenVPN/easy-rsa/issues/105#issuecomment-752836140)

I did not test what happens when a client is connected, certificate is revoked, and whether the client is disconnected. All I was after was to reuse the username.

https://github.com/angristan/openvpn-install/issues/652

[sysadminpower2019]

I am still getting this error despite trying the latest version of the script and trying the upgrade ca command

[alsyundawy]

any update @angristan ?

[bugrevealingbme]

same++

[panas47403]

It is 2024, and the recent version still has "The specified client CN was already found in easy-rsa, please choose another name" issue when trying to "add" a previously "revoked" user. Editing index.txt, even though claimed by some to be a workaround, is frowned upon by renowned colleagues in this thread. So, what is the "officialy suggested" solution for this? There are many situations when modifying a username/login is very inconvenient.