Thu Feb 16 13:32:52 +07 2023

Managing VPN certificates

User can create their own VPN certificates on the account management web page. VPN authentication is based on the user credential and a certificate protected by a password. The certificate is valid for one year. To revoke a certificate, connect to ufo and issue: sudo -u httpd /var/db/http/rsa.scripts/rsa_wrapper2.pl revoke <user name> The script rsa_wrapper2.pl can be used to create, show, show the expiration date of, revoke a certificate or renew the CRL (Certificate Revocation List). The CRL has a validity of 6 months and is nore renewed unless a user is revoked. A crontab job will renew the CRL on the 3rd of every four months, a 2:57. This shouls solve the error about CRL expired. Note that rsa_wrapper2.pl should be used and not rsa_wrapper.pl. It calls the script easyrsa.real.test that has been modified to work around a bug in OpenSSL. I have tried with the native OpenSSL (1.1.10) installed with FreeBSD 13 and with OpenSSL 3.2.0-dev and the bug is still there. I *think* it is the bug about EPREM that is detailed in "TTY_get() in crypto/ui/ui_openssl.c open_console() can also return er..." <https://github.com/openssl/openssl/commit/082394839ea32386abc7ee33aaa9da864287064c> To workaround the bug, I have modified earrsa.real to pass the CA passphrase with: echo "passphrase" | openssl ... -passin stdin instead of openssl ... -passin pass:passphrase Note that the passphrase is hardcoded in the script. Note that the workaround is VERY crude. Note about the bug: it would only show when the web page is created by Joomla: Joomla3->php wrapper->Perl script ->Perl script ->Bourne shell script->openssl php ->php ->connect-ifrane->rsa_wrappeer2.pl->easyrsa.real.test ->openssl and not when the page was created only by a Perl CGI script: Perl script->Perl script ->Bourne shell script->openssl connect ->rsa_wrapper.pl->easyrsa.real ->openssl I could not make a smaller example.

Posted by Olivier | Permanent link | File under: administration