Community discussions

MikroTik App
 
lis
just joined
Topic Author
Posts: 5
Joined: Sun Apr 04, 2021 2:36 pm

CRL showing invalid

Thu Jul 22, 2021 11:57 pm

Hey Guys,

I'm having wired problem and not sure where to search else. Been browsing this forum for CRL issue and i guess i looked over all cases and its not matching mine.
Router OS: 6.47.7
purpose: use it for OpenVPN and check certs via CRL if not revoked
certificate: build based on Active Directory CA service, so its not self-signed and managed by mikrotik directly

Certificate properties:
* signed by internal CA
* flags on mikrotik: KTL (Key, Trusted, CRL)

In the certificate store internal CA is also added and there is flag T (Trusted). So i have both certificate CA (T) + OpenVPN (KTL) server cert in the mikrotik cert store. CA is granted to sign CRL.
I have generated the key & req on the mikrotik. Downloaded, sent to CA and signed request on the CA server. Then imported it back via WinBox. All is handled via WinBOx.

CRL:
* is signed by the same CA as the Certificate for the openVPN
* OpenVPN certificate is having only single place where CRL is published - via HTTP, meaning: http://<host.FQDN>/CRL/CA.crl. This is only URL that exist in the certificate under "CRL published at".
* was automatically added and found when importing the OpenVPN certificate to cert store, it is stated as: dynamic + invalid with URL http://<host.FQDN>/CRL/CA.crl + certificate name as named in the mikrotik cert store
* on the Certificates setting in the CRL settings i have checked "CRL Download", but not yet enabled "Use CRL"

Due to the fact that my mikrotik is having external DNS configured i had to create static DNS entry for host <host.FQDN> pointing to the IP of the server. CRL also works if you provide IP address of the server instead of FQDN.

Tested it out via terminal with: put [resolve <host.FQDN>] that have returned the correct IP of the CRL server. In theory it should be able to pull the CRL. CRL web page do not need any auth to pull CRL out.

In the logs i see:
looking for CRLs in openVPN.cer_0
found CRL http://<host.FQDN>/CRL/CA.crl
start CRL update
trust store updated
start CRL update
start CRL update
start CRL update
start CRL update
start CRL update
start CRL update

... start CRL update - every 1min

but still CRL is showing red via WinBOX and invalid status. Value for revoked=unknown.
Even if i provide link manually with IP address to the CRL server it still shows invalid.

Any idea how to increase debug level or fix this?

For now i see possible issues:
1. It's version 6.47.7 BUG
2. it's not using DNS static for resolving FQDN that is in the CRL config. then obviously it will get no IP and error is valid, but static entry do not work with IP so its seems its not that issue.
3. there is something missing in the certificate, in CA or OpenVPN. There is not much that i can do on the CA level itself. I can change templates that are used to sign the certificate but there is nothing that i can configure in the template for CRL, that can be done only CA level. There is no possibility to change format or something, but had to remove other publishing locations such as LDAP that is not supported by mikrotik, so the only item within CRL is http check.
4. there is something wrong with CRL type or version or something else. Not sure how to validate its integrity with what mikrotik accepts.
 
lis
just joined
Topic Author
Posts: 5
Joined: Sun Apr 04, 2021 2:36 pm

Re: CRL showing invalid

Sun Aug 01, 2021 11:47 am

Is there any limit for supported signing algorithms?
What i have tested is that works properly is SHA1 and where the problem is with SHA512. Is this could be an issue?
RouterOS was upgraded to 6.48.3 and issue persists.
I can't see any traffic toward server with CRL list while running sniffer. Not sure why...
 
finalgene
just joined
Posts: 2
Joined: Fri Jan 05, 2018 1:36 pm

Re: CRL showing invalid

Wed Jan 12, 2022 10:08 pm

I've run into the same problem.

My CA generates a CRL which is published on http://ca.final-gene.de/CA.crl
First Problem was, that RouterOS doesn't support HTTPS, even not in version 7.x

Now, the CRL is marked as invalid. I've checked the signing digest. It's already SHA1

So why is the CRL marked as invalid :(

RouterOS version: v7.1.1
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRL showing invalid

Wed Jan 12, 2022 10:44 pm

Does /tool fetch url=http://ca.final-gene.de/CA.crl download the CRL file successfully?
 
User avatar
galvesribeiro
newbie
Posts: 38
Joined: Mon Apr 12, 2021 4:34 am

Re: CRL showing invalid

Sat Apr 09, 2022 6:36 am

On the same boat here but with GoDaddy as the CA. I can download the CRL from the URLs on both HTTP and HTTPS just fine. However, MikroTik keeps insisting it is invalid... Tried to use fetch to pull it but it shows 0KiB downloaded, no errors...

Anyone has any clue?
 
AnrDaemon
just joined
Posts: 8
Joined: Mon Jul 27, 2020 2:51 pm

Re: CRL showing invalid

Thu Jun 02, 2022 7:36 pm

I've managed to fix CRL download by redirecting static DNS resolution of "\.localdomain\.lan$" via internal DNS server.
Also had to make an exclusion for CRL files to be available without SSL.
 
homerouter
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun Dec 26, 2021 12:52 pm
Location: DK

Re: CRL showing invalid

Sun Oct 09, 2022 1:51 pm

Same problem here, ROS always show it color red in the winbox certificate->CRL.
I can use "tool fetch" and get it to the file-manager. When it is in the file-manager what to do next?

Who is online

Users browsing this forum: anav, Andrey05 and 87 guests