Koozali.org: home of the SME Server

Openvpn-bridge

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Openvpn-bridge
« Reply #15 on: March 27, 2020, 12:31:21 PM »
normally the certificate is in the pk12 right?

Depends what you are using!!!!!

Quote
for installing the certificate, tunnelblick manages it, right?

Usually.

Be quite clear. You need either:

A Public CA certificate

Personal certificates - type VPN Client

A Public user certificate
A Private user certificate

Or:

A pk12 with all three will be combined into one file - CA + public + private

You will need a separate TA Key file.

Make sure that the certificate details all match correctly. You must ONLY have one CA. ALL user certificates must be created/signed by that CA. I think somewhere you have got some certificates muddled up.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline didwedo

  • *
  • 23
  • +0/-0
Re: Openvpn-bridge
« Reply #16 on: March 27, 2020, 01:21:16 PM »
i don't understand why my use1 can connect and why my user2 can't???

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Openvpn-bridge
« Reply #17 on: March 27, 2020, 08:01:21 PM »
i don't understand why my use1 can connect and why my user2 can't???

Because user 1 has the right certificates setup correctly and user 2 does not. It is as simple as that.

If you read that error online it is the same thing over and over again. So, best check it first, properly.

What did you do differently with the certificates?

You can check each client certificate like this:

Code: [Select]
cd /opt/phpki/phpki-store/CA
openssl verify -CAfile ./certs/cacert.pem ./newcerts/100001.pem
eg:

Code: [Select]
openssl verify -CAfile ./certs/cacert.pem ./newcerts/100001.pem
You can also check that the details match as well

Code: [Select]
openssl x509 -subject -issuer -noout -in ./certs/cacert.pem
openssl x509 -subject -issuer -noout -in ./newcerts/100001.pem

Here is some more reading on the subject (which is exactly what I just had to do myself)

https://duckduckgo.com/?q=openvpn+VERIFY+ERROR%3A+depth%3D1%2C+error%3Dself+signed+certificate+in+certificate+chain&t=canonical&ia=web

Please tell us what versions of software you have as well please

rpm -qa |grep phpki
rpm -qa |grep openvpn
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline didwedo

  • *
  • 23
  • +0/-0
Re: Openvpn-bridge
« Reply #18 on: March 30, 2020, 08:45:01 AM »
hello, sorry for my absence,
the week was difficult and i didn't use a computer all weekend.
you are very nice to help me, thank you.

rpm -qa |grep phpki
smeserver-phpki-0.2-3.el6.sme.noarch
phpki-0.82-19.el6.sme.noarch


rpm -qa |grep openvpn
openvpn-2.4.8-1.el6.x86_64
smeserver-openvpn-bridge-2.1-10.el6.sme.noarch


openssl verify -CAfile ./certs/cacert.pem ./newcerts/100001.pem
OK

openssl x509 -subject -issuer -noout -in ./certs/cacert.pem
subject= /C=CH/ST=VD/L=Lausanne/O=Didwedo sarl/OU=Certificate Authority/CN=PHPki Certificate Authority/emailAddress=webmaster@didwedo.ch
issuer= /C=CH/ST=VD/L=Lausanne/O=Didwedo sarl/OU=Certificate Authority/CN=PHPki Certificate Authority/emailAddress=webmaster@didwedo.ch


I must say that from the beginning I have this error:

An error occured while updating the CRL for OpenVPN-Bridge
because openssl didn't recognize the file as a valid CRL.
Below is the copy of the latest CRL downloaded from
https://192.168.3.1/phpki/index.php?stage=dl_crl_pem

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Openvpn-bridge
« Reply #19 on: March 30, 2020, 02:18:50 PM »
hello, sorry for my absence,
the week was difficult and i didn't use a computer all weekend.
you are very nice to help me, thank you.

We all have lives....

Quote
rpm -qa |grep phpki
smeserver-phpki-0.2-3.el6.sme.noarch
phpki-0.82-19.el6.sme.noarch


rpm -qa |grep openvpn
openvpn-2.4.8-1.el6.x86_64
smeserver-openvpn-bridge-2.1-10.el6.sme.noarch


OK

Quote
openssl verify -CAfile ./certs/cacert.pem ./newcerts/100001.pem
OK

Do that for ALL the certificates....

And check this for all certificates as well:

Code: [Select]
openssl x509 -subject -issuer -noout -in ./newcerts/100001.pem
Quote
openssl x509 -subject -issuer -noout -in ./certs/cacert.pem
subject= /C=CH/ST=VD/L=Lausanne/O=Didwedo sarl/OU=Certificate Authority/CN=PHPki Certificate Authority/emailAddress=webmaster@didwedo.ch
issuer= /C=CH/ST=VD/L=Lausanne/O=Didwedo sarl/OU=Certificate Authority/CN=PHPki Certificate Authority/emailAddress=webmaster@didwedo.ch

OK.

Quote
I must say that from the beginning I have this error:

An error occurred while updating the CRL for OpenVPN-Bridge
because openssl didn't recognize the file as a valid CRL.
Below is the copy of the latest CRL downloaded from
https://192.168.3.1/phpki/index.php?stage=dl_crl_pem

Never leave out errors when reporting an issue - they may or may not be important.

Revocation list - checks if any certificates have been revoked.

In this case it should not be fatal but you should check it. There is a crontab that should get the CRL from your PHPKI server.

Code: [Select]
# Update OpenVPN bridge's CRL\n"
5 * * * * root /etc/e-smith/events/actions/openvpn-bridge-update-crl 2>&1 /dev/null\n"

You need to make sure the openvpn server can read the crl from the PHPKI server ( I don't know if they are on the same server or different server) - test with a browser.

Try testing using the command line:

Code: [Select]
/etc/e-smith/events/actions/openvpn-bridge-update-crl
If so then make sure the this file exists: /etc/openvpn/bridge/pub/cacrl.pem

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline didwedo

  • *
  • 23
  • +0/-0
Re: Openvpn-bridge
« Reply #20 on: March 30, 2020, 02:34:03 PM »
ok, I am not very comfortable handling crontabs...

/etc/e-smith/events/actions/openvpn-bridge-update-crl
ok
If so then make sure the this file exists: /etc/openvpn/bridge/pub/cacrl.pem
the cert exist with no error

and I do not dare to re-install everything because at the moment there is no one on site and the only account that works is essential.

maybe we will wait and when the time comes I mandate you to fix this, what do you think?

normally all certificates are revoked except the bridge and the user admin. I will check the others.
thank you

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Openvpn-bridge
« Reply #21 on: March 30, 2020, 03:47:54 PM »
ok, I am not very comfortable handling crontabs...

Usually just scripts in a file that get run periodically. There is nothing to worry about.

Quote
the cert exist with no error

OK, so you have the cacrl.pem

Quote
and I do not dare to re-install everything because at the moment there is no one on site and the only account that works is essential.

Understandable. You should have ssh access really.....

Quote
maybe we will wait and when the time comes I mandate you to fix this, what do you think?

If I need the money that badly I will let you know ;-)

Quote
normally all certificates are revoked except the bridge and the user admin. I will check the others.
thank you

Ahhhh.

Have you thought about what you have said here???? I mean REALLY thought about it?

All certificates EXCEPT the bridge and the admin are revoked.

So, you have certs for the:

1. bridge server itself
2. admin
3. team
4. chris

I think you better check how many of these are valid?

Can you also show:

Code: [Select]
ll /etc/openvpn/bridge/pub

Here's mine (updated by the cronjob at 15.05 - should be every hour at 5 minutes past)

-rw-r--r-- 1 root root 1401 Mar 30 15:05 cacrl.pem

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline didwedo

  • *
  • 23
  • +0/-0
Re: Openvpn-bridge
« Reply #22 on: March 31, 2020, 08:49:52 AM »
oups
-rw-r--r-- 1 root admin 1858 20 mars  15:48 cacert.pem
-rw-r--r-- 1 root root   934  5 août   2019 cacrl.pem
-rw-r--r-- 1 root admin 1990 20 mars  15:48 cert.pem
-rw-r--r-- 1 root admin  248 20 mars  15:48 dh.pem


i have an SSH access, don't worry ;-)

i have certs for the:

1. bridge server itself
2. team
3. chris


# openssl verify -CAfile ./certs/cacert.pem ./newcerts/10000F.pem
./newcerts/10000F.pem: OK
# openssl verify -CAfile ./certs/cacert.pem ./newcerts/100006.pem
./newcerts/100006.pem: OK
# openssl verify -CAfile ./certs/cacert.pem ./newcerts/100019.pem
./newcerts/100019.pem: OK

you should also understand that I am only a webmaster, having drifted in development, then a bit of linux admin, but totally limited.

Offline didwedo

  • *
  • 23
  • +0/-0
Re: Openvpn-bridge
« Reply #23 on: April 14, 2020, 11:47:02 AM »
Afin de fermer ce ticket, je vais vous expliquer l'erreur que j'ai faite.

Après un crash serveur, j'ai ré-installé SME depuis zèro, re-créé le VPN et l'utilisateur.
Par fainéantise je me suis contenté de remplir les champs avec ceux de l'ancienne installation et non pas les nouveaux certificats générés.

Donc l'ancien utilisateur fonctionnait et les nouveaux me généraient des erreurs.
Tout est rentré dans l'ordre maintenant que j'ai mis les bons certificats dans l'OpenVPN-Brigde.

Merci à tous ceux qui m'ont aidé.
à bientôt
chris