Page 1 of 1
Migrating self signed CA
Posted: Fri Dec 21, 2018 12:12 pm
by steinbergs
Hi. I have one CCR1016-12S-1S+ as the primary device and a second CCR1016-12S-1S+ as backup.
The primary CCR is also a OVPN server. I want to configure the second CCR to run the backup OVPN server but so that user can authenticate with the self signed certificates I generated on the primary CCR.
I copied all the config from CCR 1 to CCR 2, exported the CA with a passphrase from CCR1 and imported to CCR2. Exported user and server certificates with passphrase and imported them.
The CA shows up as KLAT server and user certs as KAT.
When I try to connect to CCR2, OVPN show an error:
Fri Dec 21 12:01:07 2018 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 21 12:01:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:12 2018 Attempting to establish TCP connection with [AF_INET]10.0.1.254:1194 [nonblock]
Fri Dec 21 12:01:13 2018 TCP connection established with [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:13 2018 TCP_CLIENT link local: (not bound)
Fri Dec 21 12:01:13 2018 TCP_CLIENT link remote: [AF_INET]10.0.1.254:1194
Fri Dec 21 12:01:14 2018 OpenSSL: error:14094418:SSL routines:[b]ssl3_read_bytes:tlsv1 alert unknown ca[/b]
Fri Dec 21 12:01:14 2018 OpenSSL: error:140940E5:SSL routines:[b]ssl3_read_bytes:ssl handshake failure[/b]
Fri Dec 21 12:01:14 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Dec 21 12:01:14 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 21 12:01:14 2018 TLS Error: TLS handshake failed
Fri Dec 21 12:01:14 2018 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 21 12:01:14 2018 SIGUSR1[soft,tls-error] received, process restarting
Any ideas?
Thank you in advance!
Re: Migrating self signed CA
Posted: Fri Dec 21, 2018 12:31 pm
by Ape
Hi,
I've no idea whats wrong - as you described the situation, everything is good IMO. Nevertheless, the error message clearly says that the server cannot verify the client certificate.
Did you try to restart the OpenVPN server? (disabling and reenabling it) and/or restarting the CCR?
Regards,
Ape
Edit: typos
Re: Migrating self signed CA
Posted: Fri Dec 21, 2018 12:47 pm
by steinbergs
Yes, I tried to restart everything but I get the same error.
I also tried to create new certificates on CCR2 using the CA from CCR1, but no success.
Re: Migrating self signed CA
Posted: Thu Jan 10, 2019 8:30 pm
by AndresRqta
I have a similar problem
I have in production an small Mikrotik RB-750 configured with Openvpn and four Windows clients. The configuration is OK and works without problem
I have a updated .backup file (generated by winbox), and another RB-750 saved for emergency purposes.
In the last days, I try to test to restore configuration from the first RB750, to the second RB750. Backup file does not have the certificates, so we need to upload and reinstall manually
However this new RB750 cannot operate Openvpn server as the first.
Maybe a configuration related with some internal data of Routerboard?
Thanks.
Re: Migrating self signed CA
Posted: Thu Jan 10, 2019 9:32 pm
by sebastia
Hi
Wiki states "All private keys and CA export passphrase are stored encrypted with hardware ID."
https://wiki.mikrotik.com/wiki/Manual:S ... rtificates.
When you list details of the certs, do they have valid private keys?
Re: Migrating self signed CA
Posted: Fri Jul 12, 2019 2:27 pm
by slyz
Same problem as OP described.
Only difference I see in output, is `ca` on primary device and `issuer` on backup device.
Primary device:
K L A T name="myplace" country="LV" state="LV" locality="Riga" organization="corp" unit="IT"
common-name="myplace" key-size=2048 days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign
ca-crl-host="127.0.0.1" serial-number="46Dxxxxxxxxxx100"
fingerprint="e20...ba345"
invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34
K I name="guy@myplace" country="LV" state="LV" locality="Riga" organization="corp"
unit="IT" common-name="guy@myplace" key-size=2048 days-valid=3650 trusted=no
key-usage=tls-client ca=myplace serial-number="136xxxxxxxxxxF3C"
fingerprint="d22...e30"
invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44
Backup device:
KL A T name="myplace" issuer=C=LV,ST=LV,L=Riga,O=corp,OU=IT,CN=myplace digest-algorithm=sha256
key-type=rsa country="LV" state="LV" locality="Riga" organization="corp" unit="IT"
common-name="myplace" key-size=2048 subject-alt-name="" days-valid=3650 trusted=yes
key-usage=key-cert-sign,crl-sign serial-number="46Dxxxxxxxxxx100"
fingerprint="e20...ba345"
invalid-before=feb/07/2018 11:51:34 invalid-after=feb/05/2028 11:51:34 expires-after=447w21h47m48s
K T name="guy@myplace" issuer=C=LV,ST=LV,L=Riga,O=myplace,OU=IT,CN=myplace
digest-algorithm=sha256 key-type=rsa country="LV" state="LV" locality="Riga" organization="corp"
unit="IT" common-name="guy@myplace" key-size=2048 subject-alt-name="" days-valid=3650
trusted=yes key-usage=tls-client serial-number="136xxxxxxxxxxF3C"
fingerprint="d22...e30"
invalid-before=may/25/2018 14:00:44 invalid-after=may/22/2028 14:00:44 expires-after=462w2d23h56m58s
Any suggestions, how to get clients to connect? Changing client side config is not an option.
Re: Migrating self signed CA
Posted: Mon Aug 05, 2019 12:05 am
by wolfktl
Same problem with certificate transfers
ROS 6.44.5
Generation of certificates
/certificate add name=template-CA country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="MT-CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="MT-CA"
/certificate add name=template-SRV country="RU" state="Moscow" locality="RU" organization="88888" unit="" common-name="SRV-OVPN" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="MT-CA" name="SRV-OVPN"
/certificate add name=template-CL country="RU" state="Moscow" locality="" organization="88888" unit="" common-name="client-ovpn-template" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="user_test"
/certificate sign template-CL-to-issue ca="MT-CA" name="user_test"
Export certificates
certificate export-certificate MT-CA export-passphrase=password12345678
certificate export-certificate export-passphrase=password12345678
/certificate export-certificate user_test export-passphrase=password12345678
Import new mikrotik
[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MT-CORE-YC] > certificate import file-name=cert_export_MT-CA.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MT-CORE-YC] > certificate import file-name=cert_export_SRV-OVPN.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.crt passphrase=password12345678
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MT-CORE-YC] > certificate import file-name=cert_export_user_test.key passphrase=password12345678
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME
0 K L A T MT-CA MT-CA
1 K SRV-OVPN SRV-OVPN
2 K user_test user_test
Connect to new mikrotik
Log mikrotik:
ovpn,debug <1.17.29.184>: disconnected <TLS failed>
Log client:
Sun Aug 04 23:55:07 2019 OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Sun Aug 04 23:55:07 2019 OpenSSL: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Sun Aug 04 23:55:07 2019 TLS_ERROR: BIO read tls_read_plaintext error
Sun Aug 04 23:55:07 2019 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 04 23:55:07 2019 TLS Error: TLS handshake failed
Sun Aug 04 23:55:07 2019 Fatal TLS error (check_tls_errors_co), restarting
Re: Migrating self signed CA
Posted: Thu Aug 08, 2019 5:45 pm
by Exiver
@wolfktl pls post your whole configuration (Original Router, Backup Router and Client) - otherwise its just a guess into the blue..
-> /export hide-sensitive
Re: Migrating self signed CA
Posted: Fri Oct 25, 2019 12:18 am
by storybel
Would any of you have the solution?
I am in the same situation.
The imported CA is not "recognized".
Generating new client certificates is not an option.
Re: Migrating self signed CA
Posted: Fri Oct 25, 2019 12:51 am
by storybel
Finally, i have the solution.
The problem was the CRL.
Import certificates with CRL works :
- on old router: IP -> Services -> enable WWW
- on old router: make sure the firewall is open
- on new:
- verify you have a connectivity to old router (ping, traceroute..)
- import certificates with passphrase
- reload openvpn (or sstp..)
It works for me!
Re: Migrating self signed CA
Posted: Fri Mar 27, 2020 4:37 am
by jerryroy1
Please clarify this step.
- on new:
- verify you have a connectivity to old router (ping, traceroute..)
- import certificates with passphrase
- reload openvpn (or sstp..)
Why connectivity to old router? Do you mean open a browser to WAN old router?
How are you connecting and importing on new router?