Community discussions

 
steinbergs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Sep 09, 2016 4:20 pm
Location: Riga, Latvija

Migrating self signed CA

Fri Dec 21, 2018 12:12 pm

Hi. I have one CCR1016-12S-1S+ as the primary device and a second CCR1016-12S-1S+ as backup.
The primary CCR is also a OVPN server. I want to configure the second CCR to run the backup OVPN server but so that user can authenticate with the self signed certificates I generated on the primary CCR.
I copied all the config from CCR 1 to CCR 2, exported the CA with a passphrase from CCR1 and imported to CCR2. Exported user and server certificates with passphrase and imported them.
The CA shows up as KLAT server and user certs as KAT.
When I try to connect to CCR2, OVPN show an error:
Fri Dec 21 12:01:07 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 21 12:01:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:12 2018 Attempting to establish TCP connection with [AF_INET]10.0.1.254:1194 [nonblock]
Fri Dec 21 12:01:13 2018 TCP connection established with [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:13 2018 TCP_CLIENT link local: (not bound)
Fri Dec 21 12:01:13 2018 TCP_CLIENT link remote: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:14 2018 OpenSSL: error:14094418:SSL routines:[b]ssl3_read_bytes:tlsv1 alert unknown ca[/b]
Fri Dec 21 12:01:14 2018 OpenSSL: error:140940E5:SSL routines:[b]ssl3_read_bytes:ssl handshake failure[/b]
Fri Dec 21 12:01:14 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 21 12:01:14 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 21 12:01:14 2018 TLS Error: TLS handshake failed
Fri Dec 21 12:01:14 2018 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 21 12:01:14 2018 SIGUSR1[soft,tls-error] received, process restarting
Any ideas? Thank you in advance!
I shall read the manual/color]
 
Ape
Member Candidate
Member Candidate
Posts: 177
Joined: Sun Oct 06, 2013 3:32 pm
Location: Freiburg, Germany
Contact:

Re: Migrating self signed CA

Fri Dec 21, 2018 12:31 pm

Hi,

I've no idea whats wrong - as you described the situation, everything is good IMO. Nevertheless, the error message clearly says that the server cannot verify the client certificate.
Did you try to restart the OpenVPN server? (disabling and reenabling it) and/or restarting the CCR?


Regards,
Ape

Edit: typos
 
steinbergs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Sep 09, 2016 4:20 pm
Location: Riga, Latvija

Re: Migrating self signed CA

Fri Dec 21, 2018 12:47 pm

Yes, I tried to restart everything but I get the same error.
I also tried to create new certificates on CCR2 using the CA from CCR1, but no success.
I shall read the manual/color]
 
AndresRqta
just joined
Posts: 5
Joined: Sun Oct 21, 2018 4:26 pm

Re: Migrating self signed CA

Thu Jan 10, 2019 8:30 pm

I have a similar problem
I have in production an small Mikrotik RB-750 configured with Openvpn and four Windows clients. The configuration is OK and works without problem
I have a updated .backup file (generated by winbox), and another RB-750 saved for emergency purposes.

In the last days, I try to test to restore configuration from the first RB750, to the second RB750. Backup file does not have the certificates, so we need to upload and reinstall manually
However this new RB750 cannot operate Openvpn server as the first.
Maybe a configuration related with some internal data of Routerboard?

Thanks.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1664
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Migrating self signed CA

Thu Jan 10, 2019 9:32 pm

Hi

Wiki states "All private keys and CA export passphrase are stored encrypted with hardware ID." https://wiki.mikrotik.com/wiki/Manual:S ... rtificates.
When you list details of the certs, do they have valid private keys?
 
slyz
just joined
Posts: 3
Joined: Tue Sep 06, 2016 5:51 pm

Re: Migrating self signed CA

Fri Jul 12, 2019 2:27 pm

Same problem as OP described.

Only difference I see in output, is `ca` on primary device and `issuer` on backup device.
Primary device:
K L A  T name="myplace" country="LV" state="LV" locality="Riga" organization="corp" unit="IT" 
            common-name="myplace" key-size=2048 days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign 
            ca-crl-host="127.0.0.1" serial-number="46Dxxxxxxxxxx100" 
            fingerprint="e20...ba345" 
            invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34
K I        name="guy@myplace" country="LV" state="LV" locality="Riga" organization="corp" 
            unit="IT" common-name="guy@myplace" key-size=2048 days-valid=3650 trusted=no 
            key-usage=tls-client ca=myplace serial-number="136xxxxxxxxxxF3C" 
            fingerprint="d22...e30" 
            invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44
Backup device:
KL A  T name="myplace" issuer=C=LV,ST=LV,L=Riga,O=corp,OU=IT,CN=myplace digest-algorithm=sha256
           key-type=rsa country="LV" state="LV" locality="Riga" organization="corp" unit="IT"
           common-name="myplace" key-size=2048 subject-alt-name="" days-valid=3650 trusted=yes
           key-usage=key-cert-sign,crl-sign serial-number="46Dxxxxxxxxxx100"
           fingerprint="e20...ba345"
           invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34 expires-after=447w21h47m48s
K     T  name="guy@myplace" issuer=C=LV,ST=LV,L=Riga,O=myplace,OU=IT,CN=myplace
           digest-algorithm=sha256 key-type=rsa country="LV" state="LV" locality="Riga" organization="corp"
           unit="IT" common-name="guy@myplace" key-size=2048 subject-alt-name="" days-valid=3650
           trusted=yes key-usage=tls-client serial-number="136xxxxxxxxxxF3C"
           fingerprint="d22...e30"
           invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44 expires-after=462w2d23h56m58s
Any suggestions, how to get clients to connect? Changing client side config is not an option.
 
wolfktl
just joined
Posts: 21
Joined: Thu Jun 27, 2013 6:07 pm

Re: Migrating self signed CA

Mon Aug 05, 2019 12:05 am

Same problem with certificate transfers

ROS 6.44.5

Generation of certificates

/certificate add name=template-CA country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="MT-CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="MT-CA"


/certificate add name=template-SRV country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="SRV-OVPN" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="MT-CA" name="SRV-OVPN"


/certificate add name=template-CL country="RU" state="Moscow" locality="" organization="88888" unit="" common-name="client-ovpn-template" key-size=4096 days-valid=3650 key-usage=tls-client

/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="user_test"
/certificate sign template-CL-to-issue ca="MT-CA" name="user_test"

Export certificates

certificate export-certificate MT-CA export-passphrase=password12345678
certificate export-certificate export-passphrase=password12345678
/certificate export-certificate user_test export-passphrase=password12345678

Import new mikrotik

[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
0 K L A T MT-CA MT-CA
1 K SRV-OVPN SRV-OVPN
2 K user_test user_test

Connect to new mikrotik
Log mikrotik:
ovpn,debug <1.17.29.184>: disconnected <TLS failed>

Log client:
Sun Aug 04 23:55:07 2019 OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Sun Aug 04 23:55:07 2019 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Sun Aug 04 23:55:07 2019 TLS_ERROR: BIO read tls_read_plaintext error
Sun Aug 04 23:55:07 2019 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 04 23:55:07 2019 TLS Error: TLS handshake failed
Sun Aug 04 23:55:07 2019 Fatal TLS error (check_tls_errors_co), restarting
 
User avatar
Exiver
Frequent Visitor
Frequent Visitor
Posts: 88
Joined: Sat Jan 10, 2015 6:45 pm
Location: Germany

Re: Migrating self signed CA

Thu Aug 08, 2019 5:45 pm

@wolfktl pls post your whole configuration (Original Router, Backup Router and Client) - otherwise its just a guess into the blue..

-> /export hide-sensitive

Who is online

Users browsing this forum: No registered users and 77 guests