Why does re-issue of EasyRSA 3 certificate after revoke for OpenVPN fail?











up vote
0
down vote

favorite












The problem



I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.



Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.



OK here's some specifics:



I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.




  • I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.

  • I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).

  • I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.

  • I can successfully create all the required artifacts and create a connection with OpenVPN.

  • I can successfully revoke clients so they cannot connect to the OpenVPN server.

  • I use the easyrsa script to 'update-db' and 'create-crl'.

  • I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.


Here are CRL and text db contents:




  • Upon initialization of server



$> cat auth/pki/index.txt

V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server

$> openssl crl -in auth/pki/crl.pem -text -noout"

Certificate Revocation List (CRL):

        Version 2 (0x1)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: /CN=domain

        Last Update: Nov 12 18:28:17 2018 GMT

        Next Update: Nov  9 18:28:17 2028 GMT

        CRL extensions:

            X509v3 Authority Key Identifier: 

                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE

                DirName:/CN=domain

                serial:A0:23:32:51:DD:EF:C4:98



No Revoked Certificates.

    Signature Algorithm: sha256WithRSAEncryption

         76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:

         e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:

         99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:

         70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:

         ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:

         a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:

         5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:

         42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:

         5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:

         80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:

         7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:

         e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:

         d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:

         04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:

         a3:95:41:69




  • After issuing configs for 2 clients:



$> cat auth/pki/index.txt

V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server

V 281109182955Z       B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1

V 281109183009Z       2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2

$> openssl crl -in auth/pki/crl.pem -text -noout"

Certificate Revocation List (CRL):

        Version 2 (0x1)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: /CN=domain

        Last Update: Nov 12 18:30:10 2018 GMT

        Next Update: Nov  9 18:30:10 2028 GMT

        CRL extensions:

            X509v3 Authority Key Identifier: 

                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE

                DirName:/CN=domain

                serial:A0:23:32:51:DD:EF:C4:98



No Revoked Certificates.

    Signature Algorithm: sha256WithRSAEncryption

         06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:

         a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:

         31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:

         94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:

         37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:

         e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:

         55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:

         42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:

         8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:

         e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:

         1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:

         22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:

         7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:

         e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:

         4e:77:fc:19




  • After revoking configs for 2 clients:



$> cat auth/pki/index.txt

V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server

R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1

R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2

$> openssl crl -in auth/pki/crl.pem -text -noout"

Certificate Revocation List (CRL):

        Version 2 (0x1)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: /CN=domain

        Last Update: Nov 12 18:30:27 2018 GMT

        Next Update: Nov  9 18:30:27 2028 GMT

        CRL extensions:

            X509v3 Authority Key Identifier: 

                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE

                DirName:/CN=domain

                serial:A0:23:32:51:DD:EF:C4:98



Revoked Certificates:

    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5

        Revocation Date: Nov 12 18:30:27 2018 GMT

    Serial Number: B9BEBF692BF00C05E7C589E63A77D555

        Revocation Date: Nov 12 18:30:24 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption

         70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:

         95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:

         eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:

         77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:

         eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:

         a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:

         1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:

         50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:

         22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:

         98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:

         25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:

         a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:

         12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:

         88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:

         8e:64:6a:57




  • After re-issuing configs for 2 clients:



$> cat auth/pki/index.txt

V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server

R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1

R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2

V 281109183048Z       C195D111FDC160DBFABD37A74C7DA816    unknown /CN=client1

V 281109183057Z       45AFBA1724B26E1B127091B9EC5E782B    unknown /CN=client2

$> openssl crl -in auth/pki/crl.pem -text -noout"

Certificate Revocation List (CRL):

        Version 2 (0x1)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: /CN=domain

        Last Update: Nov 12 18:30:57 2018 GMT

        Next Update: Nov  9 18:30:57 2028 GMT

        CRL extensions:

            X509v3 Authority Key Identifier: 

                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE

                DirName:/CN=domain

                serial:A0:23:32:51:DD:EF:C4:98



Revoked Certificates:

    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5

        Revocation Date: Nov 12 18:30:27 2018 GMT

    Serial Number: B9BEBF692BF00C05E7C589E63A77D555

        Revocation Date: Nov 12 18:30:24 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption

         73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:

         b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:

         25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:

         f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:

         1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:

         d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:

         8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:

         e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:

         bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:

         43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:

         d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:

         2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:

         8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:

         ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:

         1c:d2:2a:ec



Observations




  • This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?






openvpn







share|improve this question




























    up vote
    0
    down vote

    favorite












    The problem



    I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.



    Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.



    OK here's some specifics:



    I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.




    • I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.

    • I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).

    • I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.

    • I can successfully create all the required artifacts and create a connection with OpenVPN.

    • I can successfully revoke clients so they cannot connect to the OpenVPN server.

    • I use the easyrsa script to 'update-db' and 'create-crl'.

    • I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.


    Here are CRL and text db contents:




    • Upon initialization of server



    $> cat auth/pki/index.txt
    
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
    
$> openssl crl -in auth/pki/crl.pem -text -noout"
    
Certificate Revocation List (CRL):
    
        Version 2 (0x1)
    
    Signature Algorithm: sha256WithRSAEncryption
    
        Issuer: /CN=domain
    
        Last Update: Nov 12 18:28:17 2018 GMT
    
        Next Update: Nov  9 18:28:17 2028 GMT
    
        CRL extensions:
    
            X509v3 Authority Key Identifier: 
    
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
    
                DirName:/CN=domain
    
                serial:A0:23:32:51:DD:EF:C4:98
    

    
No Revoked Certificates.
    
    Signature Algorithm: sha256WithRSAEncryption
    
         76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
    
         e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
    
         99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
    
         70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
    
         ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
    
         a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
    
         5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
    
         42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
    
         5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
    
         80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
    
         7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
    
         e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
    
         d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
    
         04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
    
         a3:95:41:69




    • After issuing configs for 2 clients:



    $> cat auth/pki/index.txt
    
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
    
V 281109182955Z       B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
    
V 281109183009Z       2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
    
$> openssl crl -in auth/pki/crl.pem -text -noout"
    
Certificate Revocation List (CRL):
    
        Version 2 (0x1)
    
    Signature Algorithm: sha256WithRSAEncryption
    
        Issuer: /CN=domain
    
        Last Update: Nov 12 18:30:10 2018 GMT
    
        Next Update: Nov  9 18:30:10 2028 GMT
    
        CRL extensions:
    
            X509v3 Authority Key Identifier: 
    
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
    
                DirName:/CN=domain
    
                serial:A0:23:32:51:DD:EF:C4:98
    

    
No Revoked Certificates.
    
    Signature Algorithm: sha256WithRSAEncryption
    
         06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
    
         a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
    
         31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
    
         94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
    
         37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
    
         e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
    
         55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
    
         42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
    
         8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
    
         e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
    
         1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
    
         22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
    
         7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
    
         e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
    
         4e:77:fc:19




    • After revoking configs for 2 clients:



    $> cat auth/pki/index.txt
    
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
    
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
    
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
    
$> openssl crl -in auth/pki/crl.pem -text -noout"
    
Certificate Revocation List (CRL):
    
        Version 2 (0x1)
    
    Signature Algorithm: sha256WithRSAEncryption
    
        Issuer: /CN=domain
    
        Last Update: Nov 12 18:30:27 2018 GMT
    
        Next Update: Nov  9 18:30:27 2028 GMT
    
        CRL extensions:
    
            X509v3 Authority Key Identifier: 
    
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
    
                DirName:/CN=domain
    
                serial:A0:23:32:51:DD:EF:C4:98
    

    
Revoked Certificates:
    
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
    
        Revocation Date: Nov 12 18:30:27 2018 GMT
    
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
    
        Revocation Date: Nov 12 18:30:24 2018 GMT
    
    Signature Algorithm: sha256WithRSAEncryption
    
         70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
    
         95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
    
         eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
    
         77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
    
         eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
    
         a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
    
         1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
    
         50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
    
         22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
    
         98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
    
         25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
    
         a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
    
         12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
    
         88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
    
         8e:64:6a:57




    • After re-issuing configs for 2 clients:



    $> cat auth/pki/index.txt
    
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
    
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
    
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
    
V 281109183048Z       C195D111FDC160DBFABD37A74C7DA816    unknown /CN=client1
    
V 281109183057Z       45AFBA1724B26E1B127091B9EC5E782B    unknown /CN=client2
    
$> openssl crl -in auth/pki/crl.pem -text -noout"
    
Certificate Revocation List (CRL):
    
        Version 2 (0x1)
    
    Signature Algorithm: sha256WithRSAEncryption
    
        Issuer: /CN=domain
    
        Last Update: Nov 12 18:30:57 2018 GMT
    
        Next Update: Nov  9 18:30:57 2028 GMT
    
        CRL extensions:
    
            X509v3 Authority Key Identifier: 
    
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
    
                DirName:/CN=domain
    
                serial:A0:23:32:51:DD:EF:C4:98
    

    
Revoked Certificates:
    
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
    
        Revocation Date: Nov 12 18:30:27 2018 GMT
    
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
    
        Revocation Date: Nov 12 18:30:24 2018 GMT
    
    Signature Algorithm: sha256WithRSAEncryption
    
         73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
    
         b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
    
         25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
    
         f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
    
         1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
    
         d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
    
         8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
    
         e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
    
         bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
    
         43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
    
         d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
    
         2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
    
         8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
    
         ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
    
         1c:d2:2a:ec



    Observations




    • This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?






    openvpn







    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      The problem



      I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.



      Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.



      OK here's some specifics:



      I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.




      • I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.

      • I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).

      • I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.

      • I can successfully create all the required artifacts and create a connection with OpenVPN.

      • I can successfully revoke clients so they cannot connect to the OpenVPN server.

      • I use the easyrsa script to 'update-db' and 'create-crl'.

      • I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.


      Here are CRL and text db contents:




      • Upon initialization of server



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:28:17 2018 GMT
      
        Next Update: Nov  9 18:28:17 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
No Revoked Certificates.
      
    Signature Algorithm: sha256WithRSAEncryption
      
         76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
      
         e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
      
         99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
      
         70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
      
         ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
      
         a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
      
         5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
      
         42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
      
         5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
      
         80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
      
         7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
      
         e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
      
         d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
      
         04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
      
         a3:95:41:69




      • After issuing configs for 2 clients:



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
V 281109182955Z       B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
      
V 281109183009Z       2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:30:10 2018 GMT
      
        Next Update: Nov  9 18:30:10 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
No Revoked Certificates.
      
    Signature Algorithm: sha256WithRSAEncryption
      
         06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
      
         a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
      
         31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
      
         94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
      
         37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
      
         e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
      
         55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
      
         42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
      
         8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
      
         e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
      
         1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
      
         22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
      
         7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
      
         e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
      
         4e:77:fc:19




      • After revoking configs for 2 clients:



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
      
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:30:27 2018 GMT
      
        Next Update: Nov  9 18:30:27 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
Revoked Certificates:
      
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
      
        Revocation Date: Nov 12 18:30:27 2018 GMT
      
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
      
        Revocation Date: Nov 12 18:30:24 2018 GMT
      
    Signature Algorithm: sha256WithRSAEncryption
      
         70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
      
         95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
      
         eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
      
         77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
      
         eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
      
         a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
      
         1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
      
         50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
      
         22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
      
         98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
      
         25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
      
         a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
      
         12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
      
         88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
      
         8e:64:6a:57




      • After re-issuing configs for 2 clients:



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
      
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
      
V 281109183048Z       C195D111FDC160DBFABD37A74C7DA816    unknown /CN=client1
      
V 281109183057Z       45AFBA1724B26E1B127091B9EC5E782B    unknown /CN=client2
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:30:57 2018 GMT
      
        Next Update: Nov  9 18:30:57 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
Revoked Certificates:
      
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
      
        Revocation Date: Nov 12 18:30:27 2018 GMT
      
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
      
        Revocation Date: Nov 12 18:30:24 2018 GMT
      
    Signature Algorithm: sha256WithRSAEncryption
      
         73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
      
         b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
      
         25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
      
         f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
      
         1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
      
         d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
      
         8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
      
         e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
      
         bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
      
         43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
      
         d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
      
         2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
      
         8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
      
         ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
      
         1c:d2:2a:ec



      Observations




      • This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?






      openvpn







      share|improve this question















      The problem



      I am running an OpenVPN 2.4.4 server using EasyRSA 3 on Ubuntu 18.04. Occasionally, the server IP changes and I need to re-deploy client.ovpn files to clients to reflect that change. In the past, on Ubuntu 16.04, I used EasyRSA 2 to revoke the certificates, then re-issue certificates and client.ovpn files with no problem.



      Now, after I revoke, I cannot re-issue to clients because OpenVPN fails the TLS handshake. My workaround is to completely rebuild the CA and re-initialize the OpenVPN server. I would like to target individual clients on a priority basis rather than 'shotgunning' all the clients at once.



      OK here's some specifics:



      I can provide logs, config files, etc. if that helps. Let me know what you need to help with the answer.




      • I use a VM solely for building client/server certificates and ancillary files. When I am done issuing certificates, I can shut down the VM to avoid outside intrusions.

      • I used the instructions on Digital Ocean as a guide. It should no be a problem that I have the CA and the requestor PKIs on the same machine (which is separate from the OpenVPN server machine).

      • I created two PKI hierarchies on that VM: One is the CA and the other is devoted to creating cert requests plus issuing client.ovpn files. The two hierarchies are completely independent.

      • I can successfully create all the required artifacts and create a connection with OpenVPN.

      • I can successfully revoke clients so they cannot connect to the OpenVPN server.

      • I use the easyrsa script to 'update-db' and 'create-crl'.

      • I deploy crl.pem to the OpenVPN server and restart each time there is an update or revocation.


      Here are CRL and text db contents:




      • Upon initialization of server



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:28:17 2018 GMT
      
        Next Update: Nov  9 18:28:17 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
No Revoked Certificates.
      
    Signature Algorithm: sha256WithRSAEncryption
      
         76:fd:69:a3:0f:84:e6:ca:5b:5e:ce:53:ad:63:42:ea:ea:99:
      
         e2:71:5b:9b:b7:68:91:fa:09:4c:4a:3a:22:95:dd:ee:08:76:
      
         99:9d:19:e0:97:10:05:9c:6b:e0:65:8a:03:78:21:e3:a0:02:
      
         70:62:f2:ab:a3:75:f8:6a:7f:b0:1d:65:16:34:49:a8:9e:aa:
      
         ff:56:73:65:b9:60:05:57:84:c3:52:b7:ae:da:0f:1a:c3:9a:
      
         a4:0b:69:95:15:70:ac:63:9e:73:4b:1d:35:4d:98:08:70:55:
      
         5b:a9:bf:9e:43:17:bf:1f:8b:59:3c:ad:cf:3e:0c:5e:d1:7d:
      
         42:58:52:f5:2e:b3:03:62:37:9f:e6:a9:53:f6:f3:7e:f5:58:
      
         5c:3f:fa:f7:e4:ce:67:75:e7:4d:bf:d2:b4:18:58:db:59:1d:
      
         80:f9:81:c9:e9:ea:a0:e1:9e:96:a5:c7:dc:89:67:66:b3:05:
      
         7a:49:92:0a:53:30:c4:b0:7f:04:7b:b8:5f:67:c3:56:7c:96:
      
         e1:8b:38:ce:3c:cb:95:46:f1:2e:01:20:71:58:f9:02:22:2c:
      
         d1:07:6f:fc:fa:e4:ab:a9:7c:bf:87:4a:51:e8:71:50:55:0b:
      
         04:81:25:d3:33:fb:4c:a3:a4:e0:44:ca:91:05:d2:fd:91:8b:
      
         a3:95:41:69




      • After issuing configs for 2 clients:



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
V 281109182955Z       B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
      
V 281109183009Z       2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:30:10 2018 GMT
      
        Next Update: Nov  9 18:30:10 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
No Revoked Certificates.
      
    Signature Algorithm: sha256WithRSAEncryption
      
         06:1c:eb:ec:69:d9:3d:4d:d1:5d:ab:7a:99:17:5b:21:d6:f8:
      
         a1:80:55:b0:63:45:4d:2c:52:3b:00:78:18:46:78:13:94:19:
      
         31:c9:54:33:be:42:d4:e4:35:56:da:8b:4a:b1:ac:fd:5a:28:
      
         94:9b:6d:33:fd:6c:76:db:8c:49:b4:5c:6e:28:38:41:87:dd:
      
         37:ba:76:c2:aa:67:72:37:7d:0f:fa:35:a5:b2:04:fc:52:42:
      
         e2:42:40:da:e4:2a:be:70:4c:d1:f9:c4:3e:77:d1:58:c6:a2:
      
         55:61:d4:19:b8:d1:81:02:9a:6d:5c:7f:d2:e4:67:fc:70:3e:
      
         42:4a:7e:e7:ee:c7:76:09:d2:68:f7:2b:6f:15:a8:66:09:9a:
      
         8a:40:51:78:6b:9d:ce:65:4c:2d:85:b6:1f:b6:ab:50:d8:27:
      
         e7:bd:9a:49:4a:91:6d:94:26:73:69:b7:3d:29:b0:a9:7d:0b:
      
         1e:eb:3b:73:7e:a5:c7:50:49:46:2d:72:bc:a3:d2:20:26:98:
      
         22:f4:f1:10:98:62:46:1c:cd:fc:73:2f:78:80:14:c8:24:38:
      
         7c:b6:1a:17:27:9d:62:64:f0:b2:35:82:c4:b7:ab:ac:04:08:
      
         e1:c2:b9:9e:58:7a:0e:4c:9d:6a:b7:9d:26:6a:29:f0:4f:88:
      
         4e:77:fc:19




      • After revoking configs for 2 clients:



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
      
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:30:27 2018 GMT
      
        Next Update: Nov  9 18:30:27 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
Revoked Certificates:
      
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
      
        Revocation Date: Nov 12 18:30:27 2018 GMT
      
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
      
        Revocation Date: Nov 12 18:30:24 2018 GMT
      
    Signature Algorithm: sha256WithRSAEncryption
      
         70:6d:f8:fc:84:32:3c:bf:f0:a1:63:e8:2b:94:0d:01:46:71:
      
         95:60:73:02:f5:d4:a4:48:cb:58:7b:8a:8c:b0:4c:27:23:81:
      
         eb:c0:99:a2:a8:89:16:76:87:28:0d:82:cc:a2:7a:de:28:8f:
      
         77:08:66:46:59:a3:07:7d:a6:0b:1b:75:d4:9f:5b:5f:75:cc:
      
         eb:1c:f7:22:90:a5:59:f8:29:01:5c:1c:5f:9e:77:9a:67:50:
      
         a0:5d:15:af:da:20:73:ae:40:1f:fd:e3:af:27:6e:f6:5c:6a:
      
         1f:d0:85:a8:92:02:1b:d6:77:7c:bc:66:ae:3c:ff:cf:70:17:
      
         50:12:a7:df:a0:a9:f7:b9:df:11:4a:3c:1e:16:75:01:9c:ef:
      
         22:9f:3d:40:85:ba:78:d0:fa:14:9a:22:77:b0:d6:69:25:7d:
      
         98:68:f2:89:b7:63:5a:f1:f1:76:b5:cd:a0:7c:7a:e9:e2:4d:
      
         25:07:0e:7c:1e:c3:dd:ec:9a:e2:32:9d:ff:f4:af:38:50:98:
      
         a0:de:5d:5f:22:0d:8e:f5:c1:90:e3:ea:b2:1c:11:83:93:d4:
      
         12:c7:7f:52:0d:c2:9b:d7:27:73:ee:8f:53:89:02:18:68:b3:
      
         88:49:3c:9a:28:9d:2f:47:c8:1a:bf:17:f6:a6:21:33:85:86:
      
         8e:64:6a:57




      • After re-issuing configs for 2 clients:



      $> cat auth/pki/index.txt
      
V 281109182216Z       FF42240511ED8204215894082114D4A4    unknown /CN=server
      
R 281109182955Z   181112183024Z   B9BEBF692BF00C05E7C589E63A77D555    unknown /CN=client1
      
R 281109183009Z   181112183027Z   2CB6E6C5C31195943D3340008CC46DA5    unknown /CN=client2
      
V 281109183048Z       C195D111FDC160DBFABD37A74C7DA816    unknown /CN=client1
      
V 281109183057Z       45AFBA1724B26E1B127091B9EC5E782B    unknown /CN=client2
      
$> openssl crl -in auth/pki/crl.pem -text -noout"
      
Certificate Revocation List (CRL):
      
        Version 2 (0x1)
      
    Signature Algorithm: sha256WithRSAEncryption
      
        Issuer: /CN=domain
      
        Last Update: Nov 12 18:30:57 2018 GMT
      
        Next Update: Nov  9 18:30:57 2028 GMT
      
        CRL extensions:
      
            X509v3 Authority Key Identifier: 
      
                keyid:AC:22:23:B8:0F:02:5C:A8:82:EF:C6:89:7B:62:E3:C8:81:8F:6B:AE
      
                DirName:/CN=domain
      
                serial:A0:23:32:51:DD:EF:C4:98
      

      
Revoked Certificates:
      
    Serial Number: 2CB6E6C5C31195943D3340008CC46DA5
      
        Revocation Date: Nov 12 18:30:27 2018 GMT
      
    Serial Number: B9BEBF692BF00C05E7C589E63A77D555
      
        Revocation Date: Nov 12 18:30:24 2018 GMT
      
    Signature Algorithm: sha256WithRSAEncryption
      
         73:2d:5b:ea:22:4b:0b:30:37:05:24:10:bd:0f:d5:c6:14:4d:
      
         b0:40:9b:20:7c:3c:03:20:79:f8:74:ad:4b:bf:6d:bc:f0:c6:
      
         25:c2:a4:7a:d0:c8:5c:8b:34:4a:97:38:36:0c:74:75:50:d6:
      
         f3:0b:ca:f1:39:1e:ee:8f:12:9b:ed:d7:35:eb:d6:1d:80:25:
      
         1e:2e:a5:2b:f0:ef:a4:5e:c5:b6:39:33:9a:27:17:80:7c:f1:
      
         d0:c4:f9:de:47:52:70:bb:59:e1:d2:f8:74:11:9e:a8:8c:29:
      
         8a:54:ab:ee:b5:1d:ad:b9:ab:e3:2a:98:21:74:55:93:db:2f:
      
         e5:43:21:52:a1:a1:11:23:4a:7c:9b:30:52:8c:7e:16:51:4d:
      
         bb:e1:5e:23:6f:e7:f5:c9:90:fc:7e:06:79:86:64:7d:32:c0:
      
         43:22:8c:8c:f4:b5:97:bb:3a:25:a3:f3:77:36:17:4b:98:6d:
      
         d7:35:b5:c0:fa:88:bc:68:5c:a8:2d:8f:ca:93:e9:86:e8:b3:
      
         2c:31:55:c4:06:4c:2c:69:e7:5f:20:26:bd:82:90:89:8a:d0:
      
         8e:d8:2e:d2:b3:d8:0a:fa:97:3e:2c:fd:42:39:e4:bb:5e:51:
      
         ef:02:c2:72:5b:a6:99:8f:2c:9d:8c:db:66:22:1c:3d:4e:43:
      
         1c:d2:2a:ec



      Observations




      • This looks like a bug in either EasyRSA or OpenVPN. Clearly, the DB (index.txt) indicates that the new certificates after revoke have different serial numbers. Am I missing something here?






      openvpn




      openvpn






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 12 at 21:58

























      asked Nov 11 at 18:53









      karlchilders

      44




      44
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.



          However, it still remains that one cannot issue new certs after a revoke for the same client.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53252059%2fwhy-does-re-issue-of-easyrsa-3-certificate-after-revoke-for-openvpn-fail%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote



            accepted










            It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.



            However, it still remains that one cannot issue new certs after a revoke for the same client.






            share|improve this answer

























              up vote
              0
              down vote



              accepted










              It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.



              However, it still remains that one cannot issue new certs after a revoke for the same client.






              share|improve this answer























                up vote
                0
                down vote



                accepted







                up vote
                0
                down vote



                accepted






                It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.



                However, it still remains that one cannot issue new certs after a revoke for the same client.






                share|improve this answer












                It turns out that the answer is to simply change the IP address in the .ovpn config file without issuing new certs.



                However, it still remains that one cannot issue new certs after a revoke for the same client.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 19 at 17:36









                karlchilders

                44




                44






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53252059%2fwhy-does-re-issue-of-easyrsa-3-certificate-after-revoke-for-openvpn-fail%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Florida Star v. B. J. F.

                    Image
                    Florida Star v. B. J. F. From Wikipedia, the free encyclopedia Jump to navigation Jump to search United States Supreme Court case Florida Star v. B. J. F. Supreme Court of the United States Argued March 21, 1989 Decided June 21, 1989 Full case name The Florida Star v. B. J. F. Citations 491 U.S. 524 ( more ) 109 S. Ct. 2603; 105 L. Ed. 2d 443; 1989 U.S. LEXIS 3120; 57 U.S.L.W. 4816; 16 Media L. Rep. 1801 Prior history The Florida Star v. B.J.F., 530 So.2d 286 (1988) Supreme Court of Florida; Florida Star v. B.J.F., 499 So.2d 883 (1986) Fla. Dist. Court of Appeals Holding Florida Stat. § 794.03 is unconstitutional to the extent it makes the truthful reporting of information that was a matter of public record unlawful, as it violates the First Amendment. Court membership Chief Justice William Rehnquist Associate Justices William J. Brennan Jr.  · Byron White Thurgood Marshall  · Harry Blac
                    Read more

                    Danny Elfman

                    Image
                    Danny Elfman From Wikipedia, the free encyclopedia Jump to navigation Jump to search Danny Elfman Elfman at the 2010 San Diego Comic-Con Born Daniel Robert Elfman ( 1953-05-29 ) May 29, 1953 (age 65) Los Angeles, California, U.S. Spouse(s) Bridget Fonda ( m.  2003) Children 1 Musical career Genres Rock [1] ska [2] new wave film music video game music Occupation(s) Composer, singer, songwriter, record producer Instruments Trombone guitar percussion vocals keyboards [3] Years active 1972–present Associated acts Oingo Boingo James Newton Howard Daniel Robert Elfman (born May 29, 1953) is an American composer, singer, songwriter, and record producer. Elfman first became known for being the lead singer and songwriter for the band Oingo Boingo from 1974 to 1995. He is well known for scoring films and television shows, particularly his frequent collabora
                    Read more

                    Retrieve a Users Dashboard in Tumblr with R and TumblR. Oauth Issues

                    Image
                    .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I am trying to use the TumblR package in R to set up the Oauth Authentication to Retrieve a user's dashboard using the second example in tumblR documentation However I get the following error, it seems that using twitter others have been able to use a different function to get around this, but I am not finding the same function available for Tumblr. See twitter package for R authentication: error 401 My code consumer_key <- OKey consumer_secret <- SKey appname <- App_name tokenURL <- 'http://www.tumblr.com/oauth/request_token' accessTokenURL <- 'http://www.tumblr.com/oauth/acces_token'
                    Read more