July 2, 2009 at 7:59 am #41760
This is my very first time dropping some lines in this forum, so I really hope anyone can help me on this:
When I revoke an user’s certificate by Users > X509 > revoke Certificate in order to NOT allow him VPN connection anymore, this same user still can connect by VPN, and supposely the certificate exists no more! Even if I delete that user from the Users List after revoking+delete his certificate, he still can connect!!! This is getting me crazy indeed… how is that possible?? Is there any way to delete a certificate by console or whatever? Looks like that certificate and user still exists somewhere in some database or record…
Please I need some help!!!
Thank you very much in advance!!December 22, 2009 at 5:27 am #48355
The way that OpenVPN works is that each time you revoke a certificate it generates/updates a CRL (certificate revocation list) file, against which it checks incoming client connection requests. Even though you may revoke multiple client certificates, the CRL is just one key, against which multiple clients keys can generate a hit/match.
You can find the crl.pem file that ZS uses at the location of:
So, if you start the OpenVPN server process with the option of
It will then reject any certificates that you have revoked.
The BIG CATCH is that if you delete a user without first revoking the user’s cert, that user/cert will still be able to connect (as you have noticed, which is probably not what you want).
In the case you forgot to revoke the cert before deleting the user, you’ll have to have access to the cert and private key for the user you mistakenly deleted. If you don’t have access to these two files then you’re probably screwed 😉
Assuming you DO have the cert/private key of the deleted user, you need to go in and manually swap it in for the cert+key of the “tempuser”
- create a new user in the ZS gui (doesn’t have to be the same as the original username)
- using an ssh session into your ZS box, do the following:
root@zeroshell root> mv /Database/etc/ssl/certs/_user.pem /Database/etc/ssl/certs/_user.pem.orig;vi /Database/etc/ssl/certs/_user.pem
(paste the _user.pem certificate contents and save)
- do the same for the key file located in /Database/etc/ssl/certs/_user.pem, this time pasting in the keyfile contents
- now go back into the GUI and revoke the certificate for the . This revocation should trigger an automatic restart of the affected openvpn server process as long as you have started it with the –crl-verify option as listed above.
- once this is done, you can delete the _user.pem files and then rename the _user.pem.orig back to the original _user.pem if you need to keep this temporary user and/or its information for some reason
Once again, just be aware that each time you revoke a certificate against an openvpn server instance where it’s been started with the crl-verify option, you will reset that process and thus kick off all clients briefly.December 22, 2009 at 9:16 am #48356
What if you demand both cert and user/passwd?
You must be logged in to reply to this topic.