When trying to help someone having problems with an IPSec certificate I tested out the Renew Host Certificate icon in the WUI on my vm testbed. The involved Host Certificate was already expired and revoked. Pressing the Renew Host Certificate icon gave the following Error message:- Error messages OpenSSL produced an error: Using configuration from /etc/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' organizationName :PRINTABLE:'XXXXX' commonName :PRINTABLE:'ipfire.XXXX.XXXX.XXXX' ERROR:Serial number 01 has already been issued, check the database/serial_file for corruption The matching entry has the following details Type :Revoked Was revoked on:240530141737Z Expires on :240530141737Z Serial Number :01 File name :unknown Subject Name :/C=NL/O=Newton Sand/CN= ipfire.XXXX.XXXX.XXXX I then created a new x509 root and host certificate. I then pressed the Renew Host Certificate icon again and got the same error message, just with the Was revoked on: and Expires on : entries being 261109130230Z This renew option was put into IPSec in CU184 but this is the first time I have tried it out.
Looking through the log on the vm machine I found the following messages. Aug 6 15:56:32 ipfire ipsec: Regenerating host certificate... Aug 6 15:56:32 ipfire ipsec: Revoking the old host cert... Aug 6 15:56:32 ipfire ipsec: Self signing host cert... This does not show up in the IPSec System Logs as the name ipsec is used rather than charon. So the Renew Host Certficate goes through the first three parts and falls down at the Self signing host cert step.
I ran the openssl commands manually and the failure occurs during the "sign the host certificate request" stage. The "Create a CSR based on the existing certificate" and "Revoke the old certificate" steps all work fine. I am not sure but it looks to me like the "Sign the host certificate request" step is also trying to revoke the old cert but it has already been revoked. The message that came up with the "Sign the host certificate request" step was openssl ca -md sha256 -days 825 -batch -notext -in /var/ipfire/certs/hostreq.pem -out /var/ipfire/certs/hostcert.pem Using configuration from /etc/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' organizationName :PRINTABLE:'XXXXX' commonName :PRINTABLE:'ipfire.XXXX.XXXX.XXXX' ERROR:Serial number 01 has already been issued, check the database/serial_file for corruption The matching entry has the following details Type :Revoked Was revoked on:261109140353Z Expires on :261109140353Z Serial Number :01 File name :unknown Subject Name :/C=NL/O=Newton Sand/CN=ipfire.XXXX.XXXX.XXXX and the Error message is that the serial number 01 has already been issued. In the "Revoke the old certificate" step the following was reported:- openssl ca -revoke /var/ipfire/certs/hostcert.pem Using configuration from /etc/ssl/openssl.cnf Adding Entry with serial number 01 to DB for /C=NL/O=Newton Sand/CN=ipfire.saturn.pimb.org Revoking Certificate 01. Database updated Hence why I think the signing is trying to revoke the cert a second time but my conclusion may not be valid. Hopefully the above helps to figure out what is going wrong.
Having looked through the code and thought about it for a while I am wondering if the serial number should be incremented when a new cert is being created. That doesn't happen in vpnmain.cgi. The value in the serial file always stays at 01 so when the replacement cert is being signed it finds that the serial entry in the database has already been used. I just edited the serial file to change 01 to 02 and then ran the openssl ca -md sha256 -days 825 -batch -notext -in /var/ipfire/certs/hostreq.pem -out /var/ipfire/certs/hostcert.pem command again and this time the cert was successfully signed and now the index.txt database has the revoked 01 cert and a valid 02 cert. So the serial value needs to be incremented somewhere in the vpnmain.cgi code. I will have a look and see if I can figure out where it should be done.
After generating the Root/Host certificate set, if I change the value in the serial file from 01 to 02 and then press the Renew Host Certificate icon then the Host cert is renewed and the value in serial is incremented. So the incrementation is working but not at the start, only after serial has been changed to 02. I also noticed that after creating the root/host certificates that the index.txt has no Valid entry for that cert, so it looks like the initial generation is not updating the index.txt database. If the serial is changed to 02 after the root/host certs have been generated then a Renew Host Certificate step updates the index.txt to have a revoked 01 cert and a valid 02 cert.