Bug 13737

Summary: IPSec Renew Host Certificate causes openssl error message
Product: IPFire Reporter: Adolf Belka <adolf.belka>
Component: ---Assignee: Adolf Belka <adolf.belka>
Status: ASSIGNED --- QA Contact:
Severity: Major Usability    
Priority: - Unknown - CC: michael.tremer
Version: 2   
Hardware: all   
OS: Unspecified   

Description Adolf Belka 2024-08-06 13:33:53 UTC 
When trying to help someone having problems with an IPSec certificate I tested out the Renew Host Certificate icon in the WUI on my vm testbed.

The involved Host Certificate was already expired and revoked.

Pressing the Renew Host Certificate icon gave the following Error message:-

Error messages
OpenSSL produced an error:
Using configuration from /etc/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NL'
organizationName :PRINTABLE:'XXXXX'
commonName :PRINTABLE:'ipfire.XXXX.XXXX.XXXX'
ERROR:Serial number 01 has already been issued,
check the database/serial_file for corruption
The matching entry has the following details
Type :Revoked
Was revoked on:240530141737Z
Expires on :240530141737Z
Serial Number :01
File name :unknown
Subject Name :/C=NL/O=Newton Sand/CN=  ipfire.XXXX.XXXX.XXXX


I then created a new x509 root and host certificate.

I then pressed the Renew Host Certificate icon again and got the same error message, just with the Was revoked on: and Expires on : entries being 

261109130230Z

This renew option was put into IPSec in CU184 but this is the first time I have tried it out.
Comment 1 Adolf Belka 2024-08-06 13:58:23 UTC 
Looking through the log on the vm machine I found the following messages.

Aug  6 15:56:32 ipfire ipsec: Regenerating host certificate...
Aug  6 15:56:32 ipfire ipsec: Revoking the old host cert...
Aug  6 15:56:32 ipfire ipsec: Self signing host cert...


This does not show up in the IPSec System Logs as the name ipsec is used rather than charon.

So the Renew Host Certficate goes through the first three parts and falls down at the Self signing host cert step.
Comment 2 Adolf Belka 2024-08-06 14:14:23 UTC 
I ran the openssl commands manually and the failure occurs during the "sign the host certificate request" stage.

The "Create a CSR based on the existing certificate" and "Revoke the old certificate" steps all work fine.

I am not sure but it looks to me like the "Sign the host certificate request" step is also trying to revoke the old cert but it has already been revoked.

The message that came up with the "Sign the host certificate request" step was

openssl ca -md sha256 -days 825 -batch -notext -in /var/ipfire/certs/hostreq.pem -out /var/ipfire/certs/hostcert.pem 

Using configuration from /etc/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
organizationName      :PRINTABLE:'XXXXX'
commonName            :PRINTABLE:'ipfire.XXXX.XXXX.XXXX'
ERROR:Serial number 01 has already been issued,
      check the database/serial_file for corruption
The matching entry has the following details
Type          :Revoked
Was revoked on:261109140353Z
Expires on    :261109140353Z
Serial Number :01
File name     :unknown
Subject Name  :/C=NL/O=Newton Sand/CN=ipfire.XXXX.XXXX.XXXX

and the Error message is that the serial number 01 has already been issued.

In the "Revoke the old certificate" step the following was reported:-

openssl ca -revoke /var/ipfire/certs/hostcert.pem 

Using configuration from /etc/ssl/openssl.cnf
Adding Entry with serial number 01 to DB for /C=NL/O=Newton Sand/CN=ipfire.saturn.pimb.org
Revoking Certificate 01.
Database updated

Hence why I think the signing is trying to revoke the cert a second time but my conclusion may not be valid.

Hopefully the above helps to figure out what is going wrong.
Comment 3 Adolf Belka 2024-08-06 14:42:21 UTC 
Having looked through the code and thought about it for a while I am wondering if the serial number should be incremented when a new cert is being created. That doesn't happen in vpnmain.cgi. The value in the serial file always stays at 01 so when the replacement cert is being signed it finds that the serial entry in the database has already been used.

I just edited the serial file to change 01 to 02 and then ran the

openssl ca -md sha256 -days 825 -batch -notext -in /var/ipfire/certs/hostreq.pem -out /var/ipfire/certs/hostcert.pem 

command again and this time the cert was successfully signed and now the index.txt database has the revoked 01 cert and a valid 02 cert.

So the serial value needs to be incremented somewhere in the vpnmain.cgi code.

I will have a look and see if I can figure out where it should be done.
Comment 4 Adolf Belka 2024-08-06 16:21:33 UTC 
After generating the Root/Host certificate set, if I change the value in the serial file from 01 to 02 and then press the Renew Host Certificate icon then the Host cert is renewed and the value in serial is incremented. So the incrementation is working but not at the start, only after serial has been changed to 02.

I also noticed that after creating the root/host certificates that the index.txt has no Valid entry for that cert, so it looks like the initial generation is not updating the index.txt database.

If the serial is changed to 02 after the root/host certs have been generated then a Renew Host Certificate step updates the index.txt to have a revoked 01 cert and a valid 02 cert.