Fix genctl execute - Githubissues

scopenco commented 5 years ago

The current execute that generates CRL is broken. CRL should be updated using CA certificate, not the client certificate (server.crt).

How to test:

Create a new user
Connect with the new certificate to OpenVPN

Revoke the test user

export KEY_CN=server && \
. /etc/openvpn/easy-rsa/vars && \
openssl ca -revoke /etc/openvpn/keys/TESTUSER.crt \
-config /etc/openvpn/easy-rsa/openssl.cnf

Gegerate new CRL using command from gencrl execute

export KEY_CN=MYORG && \
openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf -gencrl \
  -keyfile /etc/openvpn/keys/server.key \
  -cert /etc/openvpn/keys/server.crt \
  -out /etc/openvpn/keys/crl.pem

After that you still will be able to log in using revoked certificate. The correct revoke will be using ca.crt

export KEY_CN=server && \
openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf -gencrl \
  -keyfile /etc/openvpn/keys/ca.key \
  -cert /etc/openvpn/keys/ca.crt \
  -out /etc/openvpn/keys/crl.pem

Fix in PR.

kitchen-porter commented 5 years ago

	1 Error
:no_entry_sign:	Please include a CHANGELOG entry.

	1 Warning
:warning:	This Pull Request is probably missing tests.

Generated by :no_entry_sign: Danger

xorima commented 4 years ago

Hey,

Thank you for the PR. We are closing due to inactivity. If you feel this feature should be merged in, please reopen and rebase as your contributions are always welcome.

Sous Chefs

sous-chefs / openvpn

Fix genctl execute #137