Community discussions

MikroTik App
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Certificate CRL issue | Got CRL with a bad signature

Wed Sep 28, 2022 1:00 pm

Hi,
Does anyone know how to solve this issue?
cert.jpg
crl.jpg
log.jpg
ntp.jpg
cert set.jpg
Regards,
You do not have the required permissions to view the files attached to this post.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Sun Oct 30, 2022 5:19 pm

By any chance are you using DOH for your DNS?
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Certificate CRL issue | Got CRL with a bad signature

Sun Oct 30, 2022 5:30 pm

This issue was fixed with the v7.6 release.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Sun Oct 30, 2022 6:39 pm

This issue was fixed with the v7.6 release.
Good for you, for me it started with v7.6... :-(
 
LetMeRepair
newbie
Posts: 26
Joined: Mon Jan 31, 2011 5:23 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Wed May 24, 2023 3:11 pm

We found out that (for us) this is caused by our PKI using sha512 . Since some version 7.x our certificate based VPNs stopped working and we had to at least omit CRL checking. Since 7.8 bypassing the CRL also doesn't work, so we were forced to investigate deeper.

So we created new CA/Intermediate/CRLs for testing, and found out that only changing from sha512 to sha256 made CRLs work again. So this is kind of strange because it's a step back, we've been using sha512 for years with a lot older versions of Mikrotik, and now we basically need to "lower" security to make things work?

Support ticket on this issue stayed unanswered for weeks, so I wonder where we are going with this issue (and how many other people have the same situation)
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Wed May 24, 2023 3:34 pm

All my certificates are also using sha512... I hope now that the root cause is found, a fix will be released soon.

Thanks
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Sat Jun 17, 2023 3:16 pm

Still not fix on ROS 7.10
 
LetMeRepair
newbie
Posts: 26
Joined: Mon Jan 31, 2011 5:23 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Tue Jun 20, 2023 8:30 am

Also the related ticket got no attention for 2 months. A bit disappointing ...
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Tue Jun 20, 2023 4:55 pm

I tried to reissue some of my crl with sha256 instead, but I got the same crl error, while the crl are properly decoded by openssl without error.
 
LetMeRepair
newbie
Posts: 26
Joined: Mon Jan 31, 2011 5:23 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Thu Jun 22, 2023 10:31 am

It's the CA cert ... we made a new CA for testing and with that it works. We started off changing a few parameters at once, and it worked, Narrowed it down subsequently to the Signature / SignatureHashAlgorithms. SHA256RSA/SHA256 works, SHA512RSA/SHA512 doesn't.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Certificate CRL issue | Got CRL with a bad signature

Thu Jun 22, 2023 1:28 pm

What's new in 7.11beta2 (2023-Jun-21 14:39):
*) certificate - restored RSA with SHA512 support;
 
LetMeRepair
newbie
Posts: 26
Joined: Mon Jan 31, 2011 5:23 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Fri Jun 23, 2023 10:51 am

Just saw that myself. Confirm it's working!
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: Certificate CRL issue | Got CRL with a bad signature

Sun Jun 25, 2023 1:00 pm

That's great news

Who is online

Users browsing this forum: lurker888 and 66 guests