Migrating self signed CA

steinbergs · Fri Dec 21, 2018 12:12 pm

Hi. I have one CCR1016-12S-1S+ as the primary device and a second CCR1016-12S-1S+ as backup.
The primary CCR is also a OVPN server. I want to configure the second CCR to run the backup OVPN server but so that user can authenticate with the self signed certificates I generated on the primary CCR.
I copied all the config from CCR 1 to CCR 2, exported the CA with a passphrase from CCR1 and imported to CCR2. Exported user and server certificates with passphrase and imported them.
The CA shows up as KLAT server and user certs as KAT.
When I try to connect to CCR2, OVPN show an error:

Fri Dec 21 12:01:07 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 21 12:01:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:12 2018 Attempting to establish TCP connection with [AF_INET]10.0.1.254:1194 [nonblock]
Fri Dec 21 12:01:13 2018 TCP connection established with [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:13 2018 TCP_CLIENT link local: (not bound)
Fri Dec 21 12:01:13 2018 TCP_CLIENT link remote: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:14 2018 OpenSSL: error:14094418:SSL routines:[b]ssl3_read_bytes:tlsv1 alert unknown ca[/b]
Fri Dec 21 12:01:14 2018 OpenSSL: error:140940E5:SSL routines:[b]ssl3_read_bytes:ssl handshake failure[/b]
Fri Dec 21 12:01:14 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 21 12:01:14 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 21 12:01:14 2018 TLS Error: TLS handshake failed
Fri Dec 21 12:01:14 2018 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 21 12:01:14 2018 SIGUSR1[soft,tls-error] received, process restarting

Any ideas? Thank you in advance!

Ape · Fri Dec 21, 2018 12:31 pm

Hi,

I've no idea whats wrong - as you described the situation, everything is good IMO. Nevertheless, the error message clearly says that the server cannot verify the client certificate.
Did you try to restart the OpenVPN server? (disabling and reenabling it) and/or restarting the CCR?

Regards,
Ape

Edit: typos

steinbergs · Fri Dec 21, 2018 12:47 pm

Yes, I tried to restart everything but I get the same error.
I also tried to create new certificates on CCR2 using the CA from CCR1, but no success.

AndresRqta · Thu Jan 10, 2019 8:30 pm

I have a similar problem
I have in production an small Mikrotik RB-750 configured with Openvpn and four Windows clients. The configuration is OK and works without problem
I have a updated .backup file (generated by winbox), and another RB-750 saved for emergency purposes.

In the last days, I try to test to restore configuration from the first RB750, to the second RB750. Backup file does not have the certificates, so we need to upload and reinstall manually
However this new RB750 cannot operate Openvpn server as the first.
Maybe a configuration related with some internal data of Routerboard?

Thanks.

sebastia · Thu Jan 10, 2019 9:32 pm

Hi

Wiki states "All private keys and CA export passphrase are stored encrypted with hardware ID." https://wiki.mikrotik.com/wiki/Manual:S ... rtificates.
When you list details of the certs, do they have valid private keys?

slyz · Fri Jul 12, 2019 2:27 pm

Same problem as OP described.

Only difference I see in output, is `ca` on primary device and `issuer` on backup device.
Primary device:

K L A  T name="myplace" country="LV" state="LV" locality="Riga" organization="corp" unit="IT" 
            common-name="myplace" key-size=2048 days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign 
            ca-crl-host="127.0.0.1" serial-number="46Dxxxxxxxxxx100" 
            fingerprint="e20...ba345" 
            invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34
K I        name="guy@myplace" country="LV" state="LV" locality="Riga" organization="corp" 
            unit="IT" common-name="guy@myplace" key-size=2048 days-valid=3650 trusted=no 
            key-usage=tls-client ca=myplace serial-number="136xxxxxxxxxxF3C" 
            fingerprint="d22...e30" 
            invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44

Backup device:

KL A  T name="myplace" issuer=C=LV,ST=LV,L=Riga,O=corp,OU=IT,CN=myplace digest-algorithm=sha256
           key-type=rsa country="LV" state="LV" locality="Riga" organization="corp" unit="IT"
           common-name="myplace" key-size=2048 subject-alt-name="" days-valid=3650 trusted=yes
           key-usage=key-cert-sign,crl-sign serial-number="46Dxxxxxxxxxx100"
           fingerprint="e20...ba345"
           invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34 expires-after=447w21h47m48s
K     T  name="guy@myplace" issuer=C=LV,ST=LV,L=Riga,O=myplace,OU=IT,CN=myplace
           digest-algorithm=sha256 key-type=rsa country="LV" state="LV" locality="Riga" organization="corp"
           unit="IT" common-name="guy@myplace" key-size=2048 subject-alt-name="" days-valid=3650
           trusted=yes key-usage=tls-client serial-number="136xxxxxxxxxxF3C"
           fingerprint="d22...e30"
           invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44 expires-after=462w2d23h56m58s

Any suggestions, how to get clients to connect? Changing client side config is not an option.

wolfktl · Mon Aug 05, 2019 12:05 am

Same problem with certificate transfers

ROS 6.44.5

Generation of certificates

/certificate add name=template-CA country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="MT-CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="MT-CA"

/certificate add name=template-SRV country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="SRV-OVPN" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="MT-CA" name="SRV-OVPN"

/certificate add name=template-CL country="RU" state="Moscow" locality="" organization="88888" unit="" common-name="client-ovpn-template" key-size=4096 days-valid=3650 key-usage=tls-client

/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="user_test"
/certificate sign template-CL-to-issue ca="MT-CA" name="user_test"

Export certificates

certificate export-certificate MT-CA export-passphrase=password12345678
certificate export-certificate export-passphrase=password12345678
/certificate export-certificate user_test export-passphrase=password12345678

Import new mikrotik

[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
0 K L A T MT-CA MT-CA
1 K SRV-OVPN SRV-OVPN
2 K user_test user_test

Connect to new mikrotik
Log mikrotik:
ovpn,debug <1.17.29.184>: disconnected <TLS failed>

Log client:
Sun Aug 04 23:55:07 2019 OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Sun Aug 04 23:55:07 2019 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Sun Aug 04 23:55:07 2019 TLS_ERROR: BIO read tls_read_plaintext error
Sun Aug 04 23:55:07 2019 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 04 23:55:07 2019 TLS Error: TLS handshake failed
Sun Aug 04 23:55:07 2019 Fatal TLS error (check_tls_errors_co), restarting

Exiver · Thu Aug 08, 2019 5:45 pm

@wolfktl pls post your whole configuration (Original Router, Backup Router and Client) - otherwise its just a guess into the blue..

-> /export hide-sensitive

storybel · Fri Oct 25, 2019 12:18 am

Would any of you have the solution?
I am in the same situation.
The imported CA is not "recognized".
Generating new client certificates is not an option.

storybel · Fri Oct 25, 2019 12:51 am

Finally, i have the solution.
The problem was the CRL.
Import certificates with CRL works :
- on old router: IP -> Services -> enable WWW
- on old router: make sure the firewall is open
- on new:
- verify you have a connectivity to old router (ping, traceroute..)
- import certificates with passphrase
- reload openvpn (or sstp..)
It works for me!

jerryroy1 · Fri Mar 27, 2020 4:37 am

Please clarify this step.

- on new:
- verify you have a connectivity to old router (ping, traceroute..)
- import certificates with passphrase
- reload openvpn (or sstp..)

Why connectivity to old router? Do you mean open a browser to WAN old router?
How are you connecting and importing on new router?

Migrating self signed CA

Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Re: Migrating self signed CA

Who is online