How to delete OpenVPN user login/certificate

dave08 · July 30, 2020, 2:49pm

Hello. I’ve been using OpenVPN in Vyos for a few years, but only lately I had the need to delete users, as they left the department.
I do a “source ./vars” under /config/easy-rsa2 folder.
./revoke-full user_to_delete displays the following error:

Using configuration from /config/easy-rsa2/openssl.cnf
Error opening user_to_delete.crt user_to_delete.crt
140045219112592:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘user_to_delete.crt’,‘r’)
140045219112592:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Using configuration from /config/easy-rsa2/openssl.cnf
Error opening certificate file user_to_delete.crt
140666079487632:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘user_to_delete.crt’,‘r’)
140666079487632:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate

Nevertheless, crl.pem is created.
If this worked, I guess I could remove the user folder under “/config/easy-rsa2/keys” and manually remove its .pem file.

But I’m stuck. Any ideas, please?

Dmitry · July 30, 2020, 4:35pm

Hi @dave08, which VyOS version running?
Did you delete anything from /config/easy-rsa2?

dave08 · July 31, 2020, 8:22am

Hello. Thanks for the reply. I’m using version 1.2.5 and didn’t delete anything on that folder…

dave08 · August 5, 2020, 8:23am

Any suggestions, please?

Dmitry · August 7, 2020, 8:01pm

Can you send me PM an output ls -R /config/easy-rsa2 and which user you exactly want to delete?

Dmitry · August 9, 2020, 4:11pm

Hi @dave08, the main issue happened because you move client certificates to other directories.
As an example userxxx.crt should store in /config/easy-rsa2/keys/ but in you case, you move it to /config/easy-rsa2/keys/userxxx/userxxx.crt. Copy all userxxx.crt files to keys/ directory and try to revoke again.

manuel19k · September 27, 2024, 10:25am

Hello all!

Now in 2024 I’ve arrived in 1.5-rolling, and I am facing a similar problem again. I just upgraded a Datacenter-VM from 1.3 to 1.5-rolling-202408250823 an recreated the CA and certificates for openvpn. Everything works fine, except for the revocation of client-certificates.

Back in 1.3, when there was no PKI, we had openvpn-config-node for crl:
set interfaces openvpn vtun0 tls crl-file '/config/auth/openvpn/crl.pem'
This node is gone now (maybe it is linked to the CA now??).

I’ve created a test-cert, tested the openvpn-login (worked like a charm), and revoked the test-cert:

mhaas@glvr01# set pki certificate heinz_test revoke 
[edit]
mhaas@glvr01# commit
[edit]
mhaas@glvr01# run show pki certificate heinz_test 
Certificates:
Name        Type    Subject CN    Issuer CN                  Issued               Expiry               Revoked    Private Key    CA Present
----------  ------  ------------  -------------------------  -------------------  -------------------  ---------  -------------  ----------------------
heinz_test  Client  CN=heinz      CN=glvr01-device-services  2024-09-27 09:45:20  2025-09-27 09:45:20  Yes        Yes            Yes (glvr01-device-ca)
[edit]
mhaas@glvr01#

… But the cert „heinz_test“ can still be used, to establish a working vpn-connection, even after the revocation. Do I miss something?

Thanks and kind regards from Bavaria!
Manuel

a.srividya · September 27, 2024, 1:28pm

You have to revoke the certificate first, then generate the crl and commit the changes:

vyos@vyos# set pki certificate client2 revoke
vyos@vyos# run generate pki crl root_ca install

manuel19k · September 27, 2024, 2:04pm

Thanks for our reply!

Hm… now nobody is able to connect - but its not bad since the node is not yet productive.

VERIFY ERROR: depth=0, error=CRL is not yet valid: C=DE, ST=Some-State, L=Some-City, O=xxxxxx, CN=xxxxxx, serial=263937347943753811015893263021750403790414053392
OpenSSL: error:0A000086:SSL routines::certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error

Do I have to recreate the whole PKI after adding the crl?

manuel19k · September 30, 2024, 10:14am

[EDIT]
No, recreating the ca wasn’t the solution. But removing the CRL solves the error.

There seems to be something wrong with the crl, but I cannot see what. Everything seems to be correct - also the System time!

mhaas@glvr01:~$ sudo openssl crl -in /run/openvpn/vtun0_crl.pem -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = xxxx, L = xxxx, O = ip&xxxx, CN = xxxx Vyos Services on glvr01
        Last Update: Sep 30 11:02:19 2024 GMT
        Next Update: Oct  1 11:02:19 2024 GMT
Revoked Certificates:
    Serial Number: 4C6C070B069FFB5CDFDE94CCCAE1532B53583B8C
        Revocation Date: Sep 30 11:02:19 2024 GMT
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3f:ba:21:4f:9c:ed:8d:95:b5:d4:34:b6:56:80:f4:48:03:c2:
        8c:af:01:fc:cd:23:b9:73:15:01:71:82:42:f7:a3:30:90:b6:
        2b:bd:27:47:00:a9:58:1b:a8:0a:e9:9e:03:55:bb:2b:b6:c0:
        14:c5:91:44:20:26:a9:70:b5:69:12:7d:e8:6e:c4:dc:91:e0:
        fd:e3:a3:ef:32:69:96:8e:f1:06:64:8a:9e:63:64:34:34:ae:
        80:dd:88:3f:e9:53:15:d2:a4:a6:ad:f0:c2:d8:5c:b7:35:49:
        c7:dd:5a:91:12:11:19:72:56:72:35:22:8f:fb:d9:aa:f7:81:
        01:35:05:63:72:1d:08:f8:4c:ae:bb:d6:97:fa:2f:27:1f:19:
        d9:42:97:95:72:15:a6:f1:fd:91:2a:94:e7:7a:f0:94:ed:8a:
        a8:19:9f:f0:3a:3e:81:7c:1e:b9:b4:8a:d7:e7:32:2f:79:4c:
        a9:f6:02:bb:58:84:ac:d5:19:8e:9b:cd:83:5c:12:82:e2:4a:
        06:44:c7:db:ae:36:a4:1b:66:e4:07:02:6f:d9:21:29:9e:e1:
        9c:d6:99:eb:d2:e6:1e:00:5a:d1:71:a4:ea:9b:27:65:88:36:
        11:be:08:95:d5:aa:b0:12:b7:6f:ca:c8:b3:ec:e6:1b:4f:74:
        d8:cc:8f:5a
-----BEGIN X509 CRL-----
MIIB5zCB0AIBATANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJERTEQMA4GA1UE
CAwHQmF2YXJpYTERMA8GA1UEBwwISXNtYW5pbmcxFTATBgNVBAoMDGlwJm1vcmUg
xxxx
Fabx/ZEqlOd68JTtiqgZn/A6PoF8Hrm0itfnMi95TKn2ArtYhKzVGY6bzYNcEoLi
SgZEx9uuNqQbZuQHAm/ZISme4ZzWmevS5h4AWtFxpOqbJ2WINhG+CJXVqrASt2/K
yLPs5htPdNjMj1o=
-----END X509 CRL-----

mhaas@glvr01:~$ sudo openssl x509 -in /run/openvpn/vtun0_cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8e:43:2b:e3:b1:f4:17:65:56:69:c9:c1:86:96:17:d7:d2:d7:60
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = xxxx, L = xxxx, O = xxxx, CN = xxxx Vyos Services on glvr01
        Validity
            Not Before: Sep 30 08:25:37 2024 GMT
            Not After : Aug 28 08:25:37 2042 GMT
        Subject: C = DE, ST = Some-State, L = Some-City, O = xxxx, CN = glvr01.xxxx.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a9:30:73:8f:4a:d6:4e:7a:76:21:44:a4:e3:61:
                    19:73:bc:43:80:a8:53:bf:5c:80:6d:d4:18:39:86:
                    c6:2c:c2:e8:a5:95:67:5a:10:81:f7:63:8a:9c:da:
                    6c:4a:e4:88:e8:23:e9:f1:fd:9b:e2:84:b3:cc:7c:
                    54:de:f0:35:54:49:68:9b:de:83:6d:f1:1f:00:d8:
xxxx
                    4a:6c:2c:11:63:9c:29:04:06:98:9d:17:96:82:3d:
                    35:c7:88:10:a8:3e:dc:50:e1:a1:72:c8:1a:b9:1f:
                    4f:52:f5:00:7d:3b:f0:55:65:7b:2d:59:94:0b:8c:
                    f6:66:7b:5d:74:70:34:64:49:ae:41:4f:73:b5:5e:
                    71:22:41:e8:ea:68:e1:00:06:0e:d6:e0:15:98:ea:
                    00:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                4B:58:39:FF:B1:BF:21:BF:BE:75:EA:95:ED:58:96:AA:5D:70:4D:DF
            X509v3 Authority Key Identifier: 
                F3:87:4D:4D:55:62:B9:75:C3:08:05:87:23:A0:5E:E6:2C:67:9C:77
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        36:5a:c5:c5:95:c6:d8:ea:61:e1:f6:5c:e6:a2:f6:0e:3c:2a:
        e6:53:43:da:1a:28:36:66:0c:e2:76:35:3c:a2:8a:db:5f:98:
        bc:12:4a:b6:ec:b4:19:85:f6:1a:66:f5:1a:ab:ee:ac:54:92:
        2d:b5:87:d3:19:e9:d9:72:2f:8f:81:9c:35:bf:aa:54:e6:71:
        7d:e7:d2:9e:b1:c2:b6:a2:10:a0:8d:73:fa:6c:9b:be:71:7d:
        0d:91:5a:e4:d7:a9:52:36:0d:8f:50:b9:06:2d:b7:5d:c3:9e:
        xxxx
        xxxx
        e2:77:b5:7f:e3:62:27:d0:93:26:a9:46:d4:71:35:da:f3:0c:
        0d:92:89:a5:fb:36:a7:b9:13:bb:53:52:9d:46:a7:5b:df:23:
        03:d4:37:79:cf:98:e0:46:1b:a9:03:86:43:2b:3e:c1:66:59:
        75:df:f6:fe:ff:52:fb:aa:99:a3:60:e7:6d:d8:32:d9:7f:0f:
        52:72:22:33:d6:90:13:ab:3f:3b:69:3b:2e:d3:56:a2:22:fe:
        d4:ee:ff:02:fb:d7:ea:cb:4f:14:00:8c:94:f5:7b:2a:78:d2:
        69:b0:7b:cb
-----BEGIN CERTIFICATE-----
MIID5DCCAsygAwIBAgIUAY5DK+Ox9BdlVmnJwYaWF9fS12AwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExETAPBgNVBAcMCElz
bWFuaW5nMRUwEwYDVQQKDAxpcCZtb3JlIEdtYkgxKjAoBgNVBAMMIWlwYW5kbW9y
xxxx
LGecdzANBgkqhkiG9w0BAQsFAAOCAQEANlrFxZXG2Oph4fZc5qL2Djwq5lND2hoo
NmYM4nY1PKKK21+YvBJKtuy0GYX2Gmb1GqvurFSSLbWH0xnp2XIvj4GcNb+qVOZx
fefSnrHCtqIQoI1z+mybvnF9DZFa5NepUjYNj1C5Bi23XcOe9DgxWND3RMmFXWJq
A48lAyOT7/I4noOYAuSK4qIuWsiTqDA24ne1f+NiJ9CTJqlG1HE12vMMDZKJpfs2
p7kTu1NSnUanW98jA9Q3ec+Y4EYbqQOGQys+wWZZdd/2/v9S+6qZo2Dnbdgy2X8P
UnIiM9aQE6s/O2k7LtNWoiL+1O7/AvvX6stPFACMlPV7KnjSabB7yw==
-----END CERTIFICATE-----

mhaas@glvr01:~$ sudo openssl x509 -in /run/openvpn/vtun0_ca.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:82:20:06:f6:ae:b8:1f:5b:85:2f:cd:1d:76:92:ba:02:7c:de:59
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = xxxx, L = xxxx, O = xxxx, CN = xxxx Vyos Services on glvr01
        Validity
            Not Before: Sep 30 08:21:00 2024 GMT
            Not After : Apr  1 08:21:00 2046 GMT
        Subject: C = DE, ST = xxxx, L = xxxx, O = xxxx, CN = xxxx Vyos Services on glvr01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:78:15:01:7a:76:97:61:c7:51:e7:dc:58:b4:
                    21:99:67:d7:bd:e9:c9:7f:37:66:9b:2e:99:99:db:
                    1a:c7:f2:50:6f:45:57:1e:c8:04:ab:ba:65:6b:65:
                    a6:81:5e:67:9d:85:eb:b5:41:6d:97:af:ce:aa:f3:
                    a0:ff:e6:ce:2e:a6:94:91:d0:ed:07:3f:cb:84:76:
                    26:46:fa:9f:f7:cc:b5:0d:39:dc:9d:af:34:4d:dd:
                    c9:df:c6:32:e5:d8:e7:b4:a1:b9:c3:b1:ff:00:84:
                    xxxx
                    xxxx
                    2a:9e:53:2f:34:2f:fb:c5:9c:06:a2:9f:7c:78:da:
                    d6:61:97:4e:49:ac:4e:b9:f7:a3:16:27:20:82:ad:
                    f2:9b:d5:72:1a:33:f1:c7:92:39:b8:f9:55:0a:81:
                    3b:61:c0:12:26:ff:84:91:44:ed:01:7f:ab:77:48:
                    05:62:cd:d8:da:3d:6d:08:65:c8:04:08:74:b9:aa:
                    3d:de:88:41:10:d1:e2:e9:1c:34:46:a0:77:56:c8:
                    4f:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                F3:87:4D:4D:55:62:B9:75:C3:08:05:87:23:A0:5E:E6:2C:67:9C:77
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        0e:41:d8:23:22:2d:ae:d2:90:06:6a:6a:db:9d:4e:61:df:08:
        dd:44:aa:68:68:06:9c:9d:be:8f:53:50:1d:f5:2c:0e:6e:c2:
        40:38:76:1f:6e:df:56:c7:74:ee:ee:fa:66:67:ac:5a:44:bb:
        8e:f8:a6:c6:8e:52:08:6e:95:4d:b9:bc:9e:89:75:4c:7d:91:
        aa:00:ed:1a:ff:22:d8:2b:30:6e:c8:92:10:db:18:35:a5:15:
        xxxxx
        93:bd:30:be:f1:b5:4f:9e:35:cb:a2:71:13:52:8f:c6:95:d7:
        18:da:55:90:b1:b5:e6:e7:bc:1b:79:ec:5d:4b:5a:27:ee:5d:
        61:ad:f6:a7:87:a8:b5:e9:b9:54:31:3d:38:8e:87:42:78:c4:
        c5:4f:a0:81:a3:b3:70:57:0e:11:5a:21:d1:49:33:6f:14:70:
        00:68:f4:7c
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIUDIIgBvauuB9bhS/NHXaSugJ83lkwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExETAPBgNVBAcMCElz
bWFuaW5nMRUwEwYDVQQKDAxpcCZtb3JlIEdtYkgxKjAoBgNVBAMMIWlwYW5kbW9y
xxxx
BggrBgEFBQcDATAdBgNVHQ4EFgQU84dNTVViuXXDCAWHI6Be5ixnnHcwDQYJKoZI
hvcNAQELBQADggEBAA5B2CMiLa7SkAZqatudTmHfCN1EqmhoBpydvo9TUB31LA5u
wkA4dh9u31bHdO7u+mZnrFpEu474psaOUghulU25vJ6JdUx9kaoA7Rr/ItgrMG7I
khDbGDWlFdL6W2i2eJpwZDVRJBlZMCZ+K+Y+yLp5DFHg2682lqobQaybTZrgKD21
J1WGEUHah/vXHUkLJNSBgNmphTtk3P+svUSuIpvGq4v03DBK9Iz21jkJuJ7MBArB
B5O9ML7xtU+eNcuicRNSj8aV1xjaVZCxtebnvBt57F1LWifuXWGt9qeHqLXpuVQx
PTiOh0J4xMVPoIGjs3BXDhFaIdFJM28UcABo9Hw=
-----END CERTIFICATE-----

mhaas@glvr01:~$ show pki 
Certificate Authorities:
Name              Subject                                                                         Issuer CN                             Issued               Expiry               Private Key    Parent
----------------  ------------------------------------------------------------------------------  ------------------------------------  -------------------  -------------------  -------------  --------
glvr01-device-ca  CN=xxxx Vyos Services on glvr01,O=xxxx,L=xxxx,ST=xxxx,C=DE  CN=xxxx Vyos Services on glvr01  2024-09-30 08:21:00  2046-04-01 08:21:00  Yes            N/A

Certificates:
Name         Type    Subject CN                  Issuer CN                             Issued               Expiry               Revoked    Private Key    CA Present
-----------  ------  --------------------------  ------------------------------------  -------------------  -------------------  ---------  -------------  ----------------------
heinz        Client  CN=heinz                    CN=xxxx Vyos Services on glvr01  2024-09-30 08:27:14  2025-09-30 08:27:14  Yes        Yes            Yes (glvr01-device-ca)
mhaas        Client  CN=mhaas                    CN=xxxx Vyos Services on glvr01  2024-09-30 08:49:17  2042-08-28 08:49:17  No         Yes            Yes (glvr01-device-ca)
openvpn1194  Server  CN=glvr01.ext.ipandmore.de  CN=xxxx Vyos Services on glvr01  2024-09-30 08:25:37  2042-08-28 08:25:37  No         Yes            Yes (glvr01-device-ca)

Certificate Revocation Lists:
CA Name           Updated              Revokes
----------------  -------------------  ---------
glvr01-device-ca  2024-09-30 11:02:19  heinz

Even after a reboot the same openvpn-error occurs, if I recreate the crl:
VERIFY ERROR: depth=0, error=CRL is not yet valid.

On some old Openvpn-Threads on the internet, I saw an old problem with openvpn-servers that have another tinezone than utc - my vyos has Europe/Berlin.