主页 / 问题 / 550843
Accepted
1d0
Asked:2020-08-01 21:58:51 +0000 UTC2020-08-01 21:58:51 +0000 UTC

在 OpenVPN 日志中,工作密钥的 REVOKED 状态

  • 772

已临时授予用户使用 OpenVPN 进行远程访问的权限。执行功能后,用户键被移动到/etc/openvpn/easy-rsa/keys/revoked. 随后,用户再次需要访问权限,这些密钥(.crt、.csr、.key)被移动到/etc/openvpn/easy-rsa/keys//etc/openvpn/ccd

但是在服务器端 (Ubuntu) 的日志中,它一直显示密钥已被撤销:

Mon Aug 1 16:30:40 2016 MULTI: multi_create_instance called Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Re-using SSL/TLS context Mon Aug 1 16:30:40 2016 79.79.79.13:52015 LZO compression initialized Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ] Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Local Options hash (VER=V4): '360696c5' Mon Aug 1 16:30:40 2016 79.79.79.13:52015 Expected Remote Options hash (VER=V4): '13a273ba' Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS: Initial packet from [AF_INET]79.79.79.13:52015, sid=1f1bca19 a8c61716 Mon Aug 1 16:30:40 2016 79.79.79.13:52015 CRL CHECK OK: /C=RU/ST=77/L=Moscow/O=COMPANY/CN=COMPANY_CA/emailAddress=it@COMPANY.ru Mon Aug 1 16:30:40 2016 79.79.79.13:52015 VERIFY OK: depth=1, /C=RU/ST=77/L=Moscow/O=COMPANY/CN=COMPANY_CA/emailAddress=it@COMPANY.ru Mon Aug 1 16:30:40 2016 79.79.79.13:52015 CRL CHECK FAILED: /C=RU/ST=77/L=Moscow/O=COMPANY/CN=vpn-mks/emailAddress=it@COMPANY.ru is REVOKED Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS Error: TLS object -> incoming plaintext read error Mon Aug 1 16:30:40 2016 79.79.79.13:52015 TLS Error: TLS handshake failed Mon Aug 1 16:30:40 2016 79.79.79.13:52015 SIGUSR1[soft,tls-error] received, client-instance restarting

从客户端 (Windows 7) 日志:

Mon Aug 01 17:31:33 2016 OpenVPN 2.3.11 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016 Mon Aug 01 17:31:33 2016 Windows version 6.1 (Windows 7) 32bit Mon Aug 01 17:31:33 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09 Enter Management Password: Mon Aug 01 17:31:33 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Mon Aug 01 17:31:33 2016 Need hold release from management interface, waiting... Mon Aug 01 17:31:34 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'state on' Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'log all on' Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'hold off' Mon Aug 01 17:31:34 2016 MANAGEMENT: CMD 'hold release' Mon Aug 01 17:31:34 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Mon Aug 01 17:31:34 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Aug 01 17:31:34 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Aug 01 17:31:34 2016 Socket Buffers: R=[8192->8192] S=[8192->8192] Mon Aug 01 17:31:34 2016 MANAGEMENT: >STATE:1470058294,RESOLVE,,, Mon Aug 01 17:31:34 2016 UDPv4 link local: [undef] Mon Aug 01 17:31:34 2016 UDPv4 link remote: [AF_INET]79.1.1.1:1194 Mon Aug 01 17:31:34 2016 MANAGEMENT: >STATE:1470058294,WAIT,,, Mon Aug 01 17:31:34 2016 MANAGEMENT: >STATE:1470058294,AUTH,,, Mon Aug 01 17:31:34 2016 TLS: Initial packet from [AF_INET]79.1.1.1:1194, sid=d57d0f42 29d70bb7 Mon Aug 01 17:31:34 2016 VERIFY OK: depth=1, C=RU, ST=77, L=Moscow, O=COMPANY, CN=COMPANY CA, emailAddress=it@COMPANY.ru Mon Aug 01 17:31:34 2016 VERIFY OK: nsCertType=SERVER Mon Aug 01 17:31:34 2016 VERIFY OK: depth=0, C=RU, ST=77, L=Moscow, O=COMPANY, CN=server, emailAddress=it@COMPANY.ru Mon Aug 01 17:32:34 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Aug 01 17:32:34 2016 TLS Error: TLS handshake failed Mon Aug 01 17:32:34 2016 SIGUSR1[soft,tls-error] received, process restarting Mon Aug 01 17:32:34 2016 MANAGEMENT: >STATE:1470058354,RECONNECTING,tls-error,, Mon Aug 01 17:32:34 2016 Restart pause, 2 second(s)

可能是什么问题呢?

linux

1 个回答

  1. Best Answer

    毕竟我会用俄语做操作方法。

    总的来说,按照我的理解,这种做法并不完全正确。99.9% 需要重新发行密钥。但是如果重新发布密钥有任何问题,那么你可以按如下方式进行。

    1) 在有证书的文件夹中(例如:)/etc/openvpn/easy-rsa/keys/必须有一个index.txt文件,它存储了一个证书列表。基于此文件,生成 CRL(证书撤销列表)。

    2) 在此文件中,您需要找到具有所需证书的行,该证书应该被恢复。

    在第一列中,已撤销证书的状态为 - R,有效证书的状态为 - V。因此,我们将吊销证书的状态更改为V并删除表格160510070838Z的第三列(这是证书吊销日期)。

    3) 现在我们需要根据新的 index.txt 文件重新生成 CRL。

    从 revoke-full 脚本创建的 CRL 重新生成脚本

    #!/bin/bash

#regenerate CRL,

CRL="crl.pem"
RT="revoke-test.pem"

if [ "$KEY_DIR" ]; then
    cd "$KEY_DIR"
    rm -f "$RT"

    # set defaults
    export KEY_CN=""
    export KEY_OU=""
    export KEY_NAME=""

    # generate a new CRL -- try to be compatible with
    # intermediate PKIs
    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
    if [ -e export-ca.crt ]; then
        cat export-ca.crt "$CRL" >"$RT"
    else
        cat ca.crt "$CRL" >"$RT"
    fi

else
    echo 'Please source the vars script first (i.e. "source ./vars")'
    echo 'Make sure you have edited it to reflect your configuration.'
fi

    保存此脚本(例如,./crl-regen)。

    4)加载变量

    root@server:/etc/openvpn/easy-rsa# . ./vars

    5)运行这个脚本

    root@server:/etc/openvpn/easy-rsa#sh crl-regen

    准备好!

    • 1

相关问题