Community discussions

 
Franek
just joined
Topic Author
Posts: 9
Joined: Fri Nov 23, 2018 7:20 pm

ca certificate transfert issues

Sat May 18, 2019 12:37 am

Hello,

I upgraded my RB2011 office router to the RB4011. I managed to transfer the configuration but I have a problem with certificates.

The router is used as an ovpn server for road warrior clients and I can't connect them back to the router. I get the following error from the client:

OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

The ca certificate I used in the old router was self generated and I used it to sign client and server certificate

I exported them from the old server and imported them into the new (both .crt and .key file). However it does not seems to be enough. Is there a way to make the tunnels work with the old certificates ?

I tried to generate new certificates in the new router and the vpn works again but it's not usable in my case since I would have to change the certificates on all my clients.

Any help would be greatly appreciated :-)

Francois
 
Franek
just joined
Topic Author
Posts: 9
Joined: Fri Nov 23, 2018 7:20 pm

Re: ca certificate transfert issues

Sun May 19, 2019 4:16 pm

Hello,

I did some digging and found the source of the problem. Maybe posting it here will help someone in the future

To force the new mikrotik consider my original ca certificate valid I had to desactivate the "use CRL" option in /certificate settings

When I originally self signed the ca certificate on the old Mikrotik I entered its public IP in the CRL field. What I forgot is that we changed our public IP adress inbetween so when the new mikrotik would try to check the ca certificate validity using the IP entered in the CRL field it wouldn't get any answer since the IP is not in use anymore and thus consider the certificate to be invalid.

I'm not sure it's a good idea to disable the use CRL option but the only alternative I can think of is to reissue a new ca certificate and copy it on all the clients. Maybe it's possible to unsign the ca certificate and resign it with the new IP (or without any) but I have to figure out how to do it

Who is online

Users browsing this forum: No registered users and 20 guests