Charts: [stable/openvpn] OpenVPN user with revoked certificate still can connect

Created on 28 Feb 2020  路  3Comments  路  Source: helm/charts

Describe the bug
OpenVPN user with revoked certificate still can connect

Version of Helm and Kubernetes:
Helm Client version: v2.14.3
Helm Server version: v2.14.1
Kubernetes client version: v1.15.9
GKE version: 1.15.8-gke.3

Which chart:
stable/openvpn

What happened:
OpenVPN user with revoked certificate still can connect

What you expected to happen:
After certificate revocation user should not be able to connect to the server

How to reproduce it (as minimally and precisely as possible):

  1. Create a user using the script for generating new client key and new .ovpn file for that user from stable/openvpn chart.
  2. After the user is successfully created, Run OpenVPN script for certificate revocation (the script for user certificate revocation from the OpenVPN chart)

Anything else we need to know:
When you run the script every step is successful but the revoked user still can connect using the revoked certificates that are part of the client .ovpn file

picture blazhemitrev

Most helpful comment

Did you set the helm release to use crl ? In default, it's set to false

helm install release-name stable/openvpn --set openvpn.useCrl=true

picture pixxet on 8 Apr 2020
🎉2

All 3 comments

I also experience the same problem, couldn't find a workaround yet. Server reports successful operation but client config is still active.

$ ./revoke-client.sh XXX


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = XXX


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/certs/openssl-1.0.cnf
Revoking Certificate 17.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

Using configuration from /etc/openvpn/certs/openssl-1.0.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/certs/pki/crl.pem

Content of the helper script:

# Client name
KEY_NAME=$1
# Helm Release Name
HELM_RELEASE=${HELM_RELEASE:-openvpn}
# Namespace for the installation
NAMESPACE=${NAMESPACE:-openvpn}

POD_NAME=$(kubectl get pods -n "$NAMESPACE" -l "app=openvpn,release=$HELM_RELEASE" -o jsonpath='{.items[0].metadata.name}')
kubectl -n "$NAMESPACE" exec -i "$POD_NAME" /etc/openvpn/setup/revokeClientCert.sh $KEY_NAME
kaskavalci picture kaskavalci on 2 Apr 2020
😕1

Did you set the helm release to use crl ? In default, it's set to false

helm install release-name stable/openvpn --set openvpn.useCrl=true

pixxet picture pixxet on 8 Apr 2020
🎉2

Did you set the helm release to use crl ? In default, it's set to false

helm install release-name stable/openvpn --set openvpn.useCrl=true

Thanks a lot, your advice solves my problem. I will close this issue.

blazhemitrev picture blazhemitrev on 9 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tdcox picture tdcox  路  3Comments
vsliouniaev picture vsliouniaev  路  3Comments
musabmasood picture musabmasood  路  3Comments
harshmehta93 picture harshmehta93  路  3Comments
mluedke picture mluedke  路  3Comments