openvpn conf client unsupported CRL protocol for URL

reetp · January 25, 2024, 12:39am

So I have a little Hex with RouterOS updated to OS 7.13.2 that I wanted to use as a very simple low traffic OpenVPN client to a linux server I control.

I already have a separate certificate server.

I have several clients, both ipsec for routers, and Openvpn for mainly phones but some laptops too. I usually just import a ovpn conf file on the device and pretty well job done. I even managed to get my certificates installed on another Mikrotik router for ipsec - so not my first rodeo - but damned if I can do it now.

I first tried importing my certificates as either a bundle or individually but I couldn’t import any beyond the CA cert.

I then tried the ovpn conf route with the certs embedded. All seems OK until the error:

unsupported CRL protocol for URL

I know my CRL is generated dynamically by calling a php file that generates the CRL on the fly. I suspect that may be the issue.

How on earth are you meant to get certificates in to the router? I have tried individually, bundled CA, key & cert as PEM and as bundled as a p12.

Arrghh - now get this when trying a ovpn import.

action timed out - try again, if error continues contact MikroTik support and send a supout file (13)

I would use ipsec but a) I can’t import any certificates and b) the location has a router that is CG nat’d and ipsec won’t play nice with it.

Just tried to login to my Mikrotik support account but can’t remember the password. OK send password reset to the email address which has mails from last summer. Nada. Create account. Account with that email exists. FML.

Please don’t suggest getting some paid support. I tried that before and had a very bad experience with it…

(Professionals who are making more money from teaching other people than actually fixing stuff so when push comes to shove in the real world they are stuck and can’t actually fix it… I digress)

Any advice appreciated. I keep coming back and trying Mikrotiks, and then remember why I gave up and went elsewhere again - this should be easy, and is on other stuff i have.

OpenWRT starting to look nice again…

oskarsk · January 25, 2024, 7:27am

Here is application examples with detailed instructions on how to apply certs, please check
https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Generatingclientcertificates

reetp · January 26, 2024, 12:11am

~~[quote=wfburton post_id=1051753 time=1706207312 user_id=215408]~~
unsupported CRL protocol for URL: ldap?

Just have to ask.
[/quote]

Thanks for responding.

Indeed. I am in full on stupid mode here. There are no stupid questions :-)

No LDAP involved,

~~[quote]~~I know my CRL is generated dynamically by calling a php file that generates the CRL on the fly.[/quote]

So the CRL will be a link like this:

https://my.server.com/certs/index.php?dl=dl_crl

Note the openvpn server also uses this URL for getting the CRL.

reetp · January 26, 2024, 1:05am

Thanks.

in the first instance kindly note that I am not generating certs on the Mikrotik.

I am trying to import certs generated by my own private cert server which is located at a different site. I use these on a number of devices - including desktops, iOS, Android, and ipsec and openvpn servers. I had used older versions on a couple of RB2011UiAS for ipsec but the old CA expired and I renewed them all late last year. (I am not currently using the RB2011s due to other configuration issues but the old certificates had worked - I might try firing one up, upgrading and testing with the new certs)

I have tried importing a p12 file, CA and individual certs plus a ovpn file with embedded certificates.

The only thing that succeeds in importing is the CA.

I cannot get any client certificates to import.

I cannot get the ovpn file with the embedded certificates to import. This give the error:

[admin@MikroTik] > interface/ovpn-client/import-ovpn-configuration file-name=TestOvpn.ovpn ovpn-user=myuser ovpn-password=abc123
action timed out - try again, if error continues contact MikroTik support and send a supout file (13)

And I can see this logged:

unsupported CRL protocol for URL: > https://my.server.com/certs/dl_crl.php

I can see this URL in the CA certificate.

(Note that there is another URL which works equally well and is reachable globally but is not n the CA
https://my.server.com/certs/index.php?dl=dl_crl)

For reference

CA Cert

Signature Algorithm: sha512WithRSAEncryption
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)

I am happy to generate a set of test certificates if you want to look privately. Let me know. Thanks.

reetp · January 26, 2024, 11:36am

~~[quote=wfburton post_id=1051856 time=1706233917 user_id=215408]~~
You can’t import p12 files. RouterOS is linux based.
[/quote]

Really?

First, I know it is linux based, and I only use linux. I don't have a Window to my name.
Second, p12 files are just a secure container holding CA, key and cert. They are cross platform.
Third.....

https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-Knownlimitations

~~[quote]~~RouterOS client configuration

Import a PKCS12 format certificate in RouterOS.

/certificate import file-name=cert_export_RouterOS_client.p12 passphrase=1234567890[/quote]

But no, that doesn't work either. Perhaps that is ONLY for ipsec, but the documentation doesn't make that clear. I'm not sure why you would have two different certificate stores?

I previously imported p12 certificates on my RB2011 for some ipsec tunnels - but that has RouterOS 6.

Note the certs were create with an older (still supported) version of openssl. If RouterOS is based on a newer version then an import may require a -legacy switch. This bug refers:

https://github.com/openssl/openssl/issues/14790

</s>openssl pkcs12 -legacy -info -in MyCert.p12 -nodes<e>

But that isn't shown anywhere in the documentation.

~~[quote]~~
Also, change the crl url protocol to http. Make a test certificate for this.

Then try importing the new certificates again.

URL should be http://my.server.com/certs/<certificatename>.crl
[/quote]

http? Really? On a https enabled server that redirects all http to https anyway? It should be an irrelevance.

That would also mean that I would have to re-generate the CA which I am not about to do right now as I would have to renew all the certificates it is based on.

http://my.server.com/certs/<certificatename>.crl

It largely depends on how that is called.

This is how my openvpn server handles it via a cron job

</s><i> </i>/usr/bin/wget https://my.server.com/certs/index.php?dl=dl_crl -O /tmp/cacrl_routed.pem /usr/bin/openssl crl -inform PEM -in /tmp/cacrl_routed.pem -text /bin/mv -f /tmp/cacrl_routed.pem /etc/openvpn/routed/pub/cacrl.pem<e>

So the URL can be anything.

I'd guess their code should do something similar. The URL shouldn't make any difference if the retrieval is coded properly.

=====================

NB - I just fired up the RB2011 and added a p12 file.

Imports without any issues. But RouterOS 6 does not have openvpn support which is what I need............

So clearly the openssl implementation has a bug somewhere.

RouterOS 7 looks like it does not support certificates generated on an older version of openssl, which I currently cannot upgrade. So stuck between a rock and hard place.

I guess I am going to have to return the 2 routers as they are not fit for purpose. Another foray into the MK world fails :-(

reetp · February 10, 2024, 2:12pm

So the short answer is yes, RouterOS 7 cannot handle older OpenSSL certificates created on v1.x

It should have a ‘legacy’ switch to handle them as they are still legitimate, but it doesn’t.

I created some tests certificates on a newer openssl (both *buntu 22.04 and Rocky 9)and they work perfectly with OpenVPN on RouterOS 7.

I used a git built version of XCA to create them - it is a little clunky, but works.

https://hohnstaedt.de/xca/
https://github.com/chris2511/xca/

(I have no relationship with them whatsoever)

Also looking at openxpki but that is a lot more trick.

Hope someone finds that useful. Lack of legacy support has caused me no end of headaches.