Community discussions

 
steinbergs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Fri Sep 09, 2016 4:20 pm
Location: Riga, Latvija

Migrating self signed CA

Fri Dec 21, 2018 12:12 pm

Hi. I have one CCR1016-12S-1S+ as the primary device and a second CCR1016-12S-1S+ as backup.
The primary CCR is also a OVPN server. I want to configure the second CCR to run the backup OVPN server but so that user can authenticate with the self signed certificates I generated on the primary CCR.
I copied all the config from CCR 1 to CCR 2, exported the CA with a passphrase from CCR1 and imported to CCR2. Exported user and server certificates with passphrase and imported them.
The CA shows up as KLAT server and user certs as KAT.
When I try to connect to CCR2, OVPN show an error:
Fri Dec 21 12:01:07 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 21 12:01:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:12 2018 Attempting to establish TCP connection with [AF_INET]10.0.1.254:1194 [nonblock]
Fri Dec 21 12:01:13 2018 TCP connection established with [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:13 2018 TCP_CLIENT link local: (not bound)
Fri Dec 21 12:01:13 2018 TCP_CLIENT link remote: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:14 2018 OpenSSL: error:14094418:SSL routines:[b]ssl3_read_bytes:tlsv1 alert unknown ca[/b]
Fri Dec 21 12:01:14 2018 OpenSSL: error:140940E5:SSL routines:[b]ssl3_read_bytes:ssl handshake failure[/b]
Fri Dec 21 12:01:14 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 21 12:01:14 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 21 12:01:14 2018 TLS Error: TLS handshake failed
Fri Dec 21 12:01:14 2018 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 21 12:01:14 2018 SIGUSR1[soft,tls-error] received, process restarting
Any ideas? Thank you in advance!
I shall read the manual/color]
 
Ape
Member Candidate
Member Candidate
Posts: 176
Joined: Sun Oct 06, 2013 3:32 pm
Location: Freiburg, Germany
Contact:

Re: Migrating self signed CA

Fri Dec 21, 2018 12:31 pm

Hi,

I've no idea whats wrong - as you described the situation, everything is good IMO. Nevertheless, the error message clearly says that the server cannot verify the client certificate.
Did you try to restart the OpenVPN server? (disabling and reenabling it) and/or restarting the CCR?


Regards,
Ape

Edit: typos
 
steinbergs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Fri Sep 09, 2016 4:20 pm
Location: Riga, Latvija

Re: Migrating self signed CA

Fri Dec 21, 2018 12:47 pm

Yes, I tried to restart everything but I get the same error.
I also tried to create new certificates on CCR2 using the CA from CCR1, but no success.
I shall read the manual/color]
 
AndresRqta
just joined
Posts: 5
Joined: Sun Oct 21, 2018 4:26 pm

Re: Migrating self signed CA

Thu Jan 10, 2019 8:30 pm

I have a similar problem
I have in production an small Mikrotik RB-750 configured with Openvpn and four Windows clients. The configuration is OK and works without problem
I have a updated .backup file (generated by winbox), and another RB-750 saved for emergency purposes.

In the last days, I try to test to restore configuration from the first RB750, to the second RB750. Backup file does not have the certificates, so we need to upload and reinstall manually
However this new RB750 cannot operate Openvpn server as the first.
Maybe a configuration related with some internal data of Routerboard?

Thanks.
 
User avatar
sebastia
Forum Veteran
Forum Veteran
Posts: 925
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Migrating self signed CA

Thu Jan 10, 2019 9:32 pm

Hi

Wiki states "All private keys and CA export passphrase are stored encrypted with hardware ID." https://wiki.mikrotik.com/wiki/Manual:S ... rtificates.
When you list details of the certs, do they have valid private keys?

Who is online

Users browsing this forum: No registered users and 18 guests