Page 1 of 1

Migrating self signed CA

Posted: Fri Dec 21, 2018 12:12 pm
by steinbergs
Hi. I have one CCR1016-12S-1S+ as the primary device and a second CCR1016-12S-1S+ as backup.
The primary CCR is also a OVPN server. I want to configure the second CCR to run the backup OVPN server but so that user can authenticate with the self signed certificates I generated on the primary CCR.
I copied all the config from CCR 1 to CCR 2, exported the CA with a passphrase from CCR1 and imported to CCR2. Exported user and server certificates with passphrase and imported them.
The CA shows up as KLAT server and user certs as KAT.
When I try to connect to CCR2, OVPN show an error:
Fri Dec 21 12:01:07 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 21 12:01:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:12 2018 Attempting to establish TCP connection with [AF_INET]10.0.1.254:1194 [nonblock]
Fri Dec 21 12:01:13 2018 TCP connection established with [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:13 2018 TCP_CLIENT link local: (not bound)
Fri Dec 21 12:01:13 2018 TCP_CLIENT link remote: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:14 2018 OpenSSL: error:14094418:SSL routines:[b]ssl3_read_bytes:tlsv1 alert unknown ca[/b]
Fri Dec 21 12:01:14 2018 OpenSSL: error:140940E5:SSL routines:[b]ssl3_read_bytes:ssl handshake failure[/b]
Fri Dec 21 12:01:14 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 21 12:01:14 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 21 12:01:14 2018 TLS Error: TLS handshake failed
Fri Dec 21 12:01:14 2018 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 21 12:01:14 2018 SIGUSR1[soft,tls-error] received, process restarting
Any ideas? Thank you in advance!

Re: Migrating self signed CA

Posted: Fri Dec 21, 2018 12:31 pm
by Ape
Hi,

I've no idea whats wrong - as you described the situation, everything is good IMO. Nevertheless, the error message clearly says that the server cannot verify the client certificate.
Did you try to restart the OpenVPN server? (disabling and reenabling it) and/or restarting the CCR?


Regards,
Ape

Edit: typos

Re: Migrating self signed CA

Posted: Fri Dec 21, 2018 12:47 pm
by steinbergs
Yes, I tried to restart everything but I get the same error.
I also tried to create new certificates on CCR2 using the CA from CCR1, but no success.

Re: Migrating self signed CA

Posted: Thu Jan 10, 2019 8:30 pm
by AndresRqta
I have a similar problem
I have in production an small Mikrotik RB-750 configured with Openvpn and four Windows clients. The configuration is OK and works without problem
I have a updated .backup file (generated by winbox), and another RB-750 saved for emergency purposes.

In the last days, I try to test to restore configuration from the first RB750, to the second RB750. Backup file does not have the certificates, so we need to upload and reinstall manually
However this new RB750 cannot operate Openvpn server as the first.
Maybe a configuration related with some internal data of Routerboard?

Thanks.

Re: Migrating self signed CA

Posted: Thu Jan 10, 2019 9:32 pm
by sebastia
Hi

Wiki states "All private keys and CA export passphrase are stored encrypted with hardware ID." https://wiki.mikrotik.com/wiki/Manual:S ... rtificates.
When you list details of the certs, do they have valid private keys?

Re: Migrating self signed CA

Posted: Fri Jul 12, 2019 2:27 pm
by slyz
Same problem as OP described.

Only difference I see in output, is `ca` on primary device and `issuer` on backup device.
Primary device:
K L A  T name="myplace" country="LV" state="LV" locality="Riga" organization="corp" unit="IT" 
            common-name="myplace" key-size=2048 days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign 
            ca-crl-host="127.0.0.1" serial-number="46Dxxxxxxxxxx100" 
            fingerprint="e20...ba345" 
            invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34
K I        name="guy@myplace" country="LV" state="LV" locality="Riga" organization="corp" 
            unit="IT" common-name="guy@myplace" key-size=2048 days-valid=3650 trusted=no 
            key-usage=tls-client ca=myplace serial-number="136xxxxxxxxxxF3C" 
            fingerprint="d22...e30" 
            invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44
Backup device:
KL A  T name="myplace" issuer=C=LV,ST=LV,L=Riga,O=corp,OU=IT,CN=myplace digest-algorithm=sha256
           key-type=rsa country="LV" state="LV" locality="Riga" organization="corp" unit="IT"
           common-name="myplace" key-size=2048 subject-alt-name="" days-valid=3650 trusted=yes
           key-usage=key-cert-sign,crl-sign serial-number="46Dxxxxxxxxxx100"
           fingerprint="e20...ba345"
           invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34 expires-after=447w21h47m48s
K     T  name="guy@myplace" issuer=C=LV,ST=LV,L=Riga,O=myplace,OU=IT,CN=myplace
           digest-algorithm=sha256 key-type=rsa country="LV" state="LV" locality="Riga" organization="corp"
           unit="IT" common-name="guy@myplace" key-size=2048 subject-alt-name="" days-valid=3650
           trusted=yes key-usage=tls-client serial-number="136xxxxxxxxxxF3C"
           fingerprint="d22...e30"
           invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44 expires-after=462w2d23h56m58s
Any suggestions, how to get clients to connect? Changing client side config is not an option.

Re: Migrating self signed CA

Posted: Mon Aug 05, 2019 12:05 am
by wolfktl
Same problem with certificate transfers

ROS 6.44.5

Generation of certificates

/certificate add name=template-CA country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="MT-CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="MT-CA"


/certificate add name=template-SRV country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="SRV-OVPN" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="MT-CA" name="SRV-OVPN"


/certificate add name=template-CL country="RU" state="Moscow" locality="" organization="88888" unit="" common-name="client-ovpn-template" key-size=4096 days-valid=3650 key-usage=tls-client

/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="user_test"
/certificate sign template-CL-to-issue ca="MT-CA" name="user_test"

Export certificates

certificate export-certificate MT-CA export-passphrase=password12345678
certificate export-certificate export-passphrase=password12345678
/certificate export-certificate user_test export-passphrase=password12345678

Import new mikrotik

[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
0 K L A T MT-CA MT-CA
1 K SRV-OVPN SRV-OVPN
2 K user_test user_test

Connect to new mikrotik
Log mikrotik:
ovpn,debug <1.17.29.184>: disconnected <TLS failed>

Log client:
Sun Aug 04 23:55:07 2019 OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Sun Aug 04 23:55:07 2019 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Sun Aug 04 23:55:07 2019 TLS_ERROR: BIO read tls_read_plaintext error
Sun Aug 04 23:55:07 2019 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 04 23:55:07 2019 TLS Error: TLS handshake failed
Sun Aug 04 23:55:07 2019 Fatal TLS error (check_tls_errors_co), restarting

Re: Migrating self signed CA

Posted: Thu Aug 08, 2019 5:45 pm
by Exiver
@wolfktl pls post your whole configuration (Original Router, Backup Router and Client) - otherwise its just a guess into the blue..

-> /export hide-sensitive