Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elegant solution for renewing CRL #236

Closed
westbywest opened this issue Aug 17, 2017 · 6 comments
Closed

Elegant solution for renewing CRL #236

westbywest opened this issue Aug 17, 2017 · 6 comments

Comments

@westbywest
Copy link

westbywest commented Aug 17, 2017
edited
Loading

For openvpn-2.4.3 under Redhat7, the openssl.cnf supplied to easy-rsa sneaks in a default 30day expiration for the CRL:
default_crl_days= 30

Since this module doesn't provide direct management of openssl.cnf, VPN clients will fail to connect after 30days per the likely unexpected default. A crude resolution is to delete crl.pem and run puppet again to regenerate. Even more crude is to set openvpn::server::crl_verify = false.

Should this module take a more active role in managing crl.pem freshness? I.e. parametrize default_crl_days, and/or toggle the option to delete / regenerate crl.pem?
@bsnape
Copy link

bsnape commented Sep 6, 2017

Thanks @westbywest this is affecting me too. I hope that this module can fix the problem.

Setting crl_verify to true is very risky indeed as revoked certificates will be allowed to connect.

To give people a bit more context on your excellent answer, you'll see this error in the system log:

VERIFY ERROR: depth=0, error=CRL has expired: C=GB, ST=London, L=London, O=X, CN=X, emailAddress=X

and openssl.cnf is found here:

/etc/openvpn/<server-name>/easy-rsa/openssl.cnf

Here's a useful writeup from a bug report.

Personally, I'll be setting default_crl_days to 3650 to match the value in default_days for now. I think your suggestion of a regeneration option is a much cleaner approach though.

to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Sep 9, 2017
@to-kn
tackle problem with expired crl.pem.
cb97a75 
add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat
refs voxpupuli#236
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Sep 9, 2017
@to-kn
tackle problem with expired crl.pem.
8691402 
add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat
refs voxpupuli#236
@hertell
Copy link

hertell commented Sep 19, 2017

With a simple date-check we could maybe regenerate the crl if needed..

echo $(( $(date -d "$(openssl crl -in ${etc_directory}/openvpn/${name}/crl.pem -text|grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))

Puppet is not my strongest field, so i have not yet managed to create an exec for this.

@westbywest
Copy link
Author

@hertell Having the module push the CRL expiration date out to a parameter would help avoid a situation where the user may be unaware such an expiration date exists (i.e. independently of any $key_expire value they specify). Letting puppet silently regenerate the CRL in the background is one resolution, but not for situations where puppet is only run once upon machine deployment, or at least only run irregularly. Looks like changes are being tested to make a new parameter: to-kn@cb97a75

@caiohasouza
Copy link

+1

to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Oct 20, 2017
@to-kn
tackle problem with expired crl.pem.
bdbc97b 
add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat
refs voxpupuli#236
@to-kn
Copy link
Contributor

to-kn commented Oct 20, 2017
edited
Loading

i added a parameter for automatically renewing the crl-list (since not all systems can edit the default_crl_days) if you are interested, i can open a PR (see https://github.com/to-kn/puppet-openvpn/tree/add_crl_renewal)
i have running it in production since one month, without any issue.

to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Dec 27, 2017
@to-kn
tackle problem with expired crl.pem.
e874b69 
add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat
refs voxpupuli#236
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Dec 27, 2017
@to-kn
tackle problem with expired crl.pem.
b00787a 
add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat
refs voxpupuli#236
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Dec 27, 2017
@to-kn
update crl if validity is less than 1 week
4ea24da 
add parameters: crl_auto_renew, crl_renew_schedule_period, crl_renew_schedule_repeat
refs voxpupuli#236
update tests
@to-kn to-kn mentioned this issue Dec 27, 2017
Merged
@to-kn
Copy link
Contributor

to-kn commented Jan 7, 2018

this issue is fixed by #256, @bastelfreak i think you can close this

ChrisOrlando pushed a commit to nexcess/puppet-openvpn that referenced this issue Jul 17, 2023
@ChrisOrlando
allow setting default_crl_days in openssl.cnf seems that other people…
d2d2015 
… are running into the issue now too: voxpupuli#236
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@hertell @bastelfreak @westbywest @bsnape @to-kn @caiohasouza