Mikrotik SSTP Client - handshake failed: unable to get certificate CRL

Frozer · February 3, 2016, 4:26am

Setup server with just recieved Tawte public SSL123 certificate, uploaded & imported files:

Thawte Primary Root CA.pem
Thawte EV SSL CA - G2.crt
vpn.mydomain.com.crt
vpn.mydomain.com.key
(sertificates imported OK, with no error in log)

/interface sstp-server server
set authentication=mschap2 certificate="vpn.mydomain.com" \
    default-profile=SERVER_SSTP enabled=yes

Then setup client, uploaded & imported files:

Thawte Primary Root CA.pem
Thawte EV SSL CA - G2.crt
(sertificates imported OK, with no error in log)

add authentication=mschap2 connect-to=vpn.mydomain.com disabled=no name=\
    "vpn.mydomain.com" password=2QMoDR6d2m profile=\
    SSTP_CLIENT user=User verify-server-certificate=yes

Windows 7 clients connecting with no problems & no need to import any CA to certificate repository.

Microtik client cannot establish connection and I getting error in log: handshake failed: unable to get certificate CRL until until upload and import additional file vpn.mydomain.com.crt.

I think this behavior is odd, is not it? Literally the day before the connection works with self-signed certificates. I use only CA.crt at the client side.

Please help, I want to make the connection work as expected (without vpn.mydomain.com.crt at client side).

Frozer · February 9, 2016, 5:41pm

Fast reply from support:

Problem is that server certificate has its own CRL defined, which is not defined
in CAs. That is why it started to work after server cert import.

We will add in one of the next versions possibility to add manually CRL URL
specially for such cases.

guk · March 2, 2020, 7:26pm

Hello,

I have a similar problem, but even wors behaviour:

on Server Tik I have CA + Interim + Cert and on clients i uploaded ca and interims, BUT:

[admin@tik] > /certificate print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted

NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT

xxx
xxx
2 T 1-DigiCertGlobalRoot... DigiCert Global Root CA 4348a0e9444c78cb265e058d5e8...
3 L T 2-GeoTrustRSACA2018.... GeoTrust RSA CA 2018 8cc34e11c167045824ade61c490...

[admin@tik] > /certificate crl print
Flags: E - expired, D - dynamic, I - invalid

CERT LAST-UPDATE NUM REVOKED URL

0 D 2-GeoTrustRSACA2018.pem_0 mar/02/2020 17:50:43 500 2 http://crl3.digicert.com/DigiCertGlobalRootCA.crl

[admin@tik] > /interface sstp-client export

mar/02/2020 20:02:49 by RouterOS 6.45.8

software id = WQ1D-G0XP

/interface sstp-client
add connect-to=fw.example.com name=VPN-sstp-out password=xxxxxxxxx profile=default-encryption user=yyyyyyyyy verify-server-certificate=yes

[admin@tik] > /log print
20:01:18 sstp,ppp,info VPN-sstp-out: initializing...
20:01:18 sstp,ppp,info VPN-sstp-out: connecting...
20:01:18 sstp,ppp,info VPN-sstp-out: terminating... - handshake failed: unable to get certificate CRL (6)
20:01:18 sstp,ppp,info VPN-sstp-out: disconnected
20:01:18 sstp,ppp,info VPN-sstp-out: initializing...
20:01:18 sstp,ppp,info VPN-sstp-out: connecting...
20:01:18 sstp,ppp,info VPN-sstp-out: terminating... - handshake failed: unable to get certificate CRL (6)
20:01:18 sstp,ppp,info VPN-sstp-out: disconnected
20:01:18 sstp,ppp,info VPN-sstp-out: initializing...
20:01:18 sstp,ppp,info VPN-sstp-out: connecting...
20:01:18 sstp,ppp,info VPN-sstp-out: terminating... - handshake failed: unable to get certificate CRL (6)
20:01:18 sstp,ppp,info VPN-sstp-out: disconnected

linux # echo | openssl s_client -servername fw.example.com -connect fw.example.com:443 2>/dev/null| openssl x509 -noout -text |grep -A 3 CRL
X509v3 CRL Distribution Points:

Full Name:
URI:http://cdp.geotrust.com/GeoTrustRSACA2018.crl

linux # openssl s_client -servername fw.example.com -connect fw.example.com:443 2>/dev/null| openssl x509 -noout -issuer -subject -dates
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
subject=C = XXXXXX, CN = *.example.com
notBefore=Feb 5 00:00:00 2020 GMT
notAfter=Feb 17 12:00:00 2021 GMT

if I manually add http://cdp.geotrust.com/GeoTrustRSACA2018.crl to crl on client tik it is working but after some time ist stops with error
"terminating... - handshakre failed: CRL has expired (6)

when i remove "http://cdp.geotrust.com/GeoTrustRSACA2018.crl" from crl and add the same uri again it is working again for some time.
any help how to get buyed certificates working with mikrotik and crl?

is there a way to

not manually add the crl like all other clients can do
not need to peridodically remove and add the crl on client side?

br, guk

guk · March 4, 2020, 7:10pm

workaround until this bug is fixed:

/tool netwatch
add comment=ping-my-sstp-ip down-script=reload-crl host=192.my.vpn.ip timeout=5s

/system script
add dont-require-permissions=no name=reload-crl owner=admin policy=read,write,test \
    source="log info (\"certificate crl bug mikrotik - deleting and adding again...\")\r\
    \n/certificate crl remove [find url=http://cdp.geotrust.com/GeoTrustRSACA2018.crl]\r\
    \n:delay 3\r\
    \n/certificate crl add url=http://cdp.geotrust.com/GeoTrustRSACA2018.crl fingerprint=\"\"\r\
    \nlog info (\"certificate crl bug mikrotik - done\")\r\
    \n"