Comments (7)
Hi @kevin-olbrich,
Thanks of course for your report! I will add flag like this to the view and to the dump_crl
command, allowing you to create CRLs without an IDP.
Can I ask you for more information so that I can reproduce this? In #64 and other issues I did add test cases to make sure that the use case is covered. To do the same here, I of course need to be able to reproduce this. (and who knows, maybe I can even help you improve your OpenVPN configuration ;-))
kr, Mat
from django-ca.
@kevin-olbrich, while starting to look into this, I discovered that it is currently indeed possible to create a view that does not include the extension: All you have to do is set the scope
of the view to None
, e.g.
views.CertificateRevocationListView.as_view(scope=None)
When using the dump_crl
command, you should get a similar outcome if you simply don't pass the --scope
parameter.
I will however still add a flag for this, as this extension certainly caused trouble in the past.
from django-ca.
(The current commit just adds a flag to the dump_crl
command, the view is still missing)
from django-ca.
This time fixed for real! Feature is implemented and will be included in the next release!
However, I'm still hoping for more input so that I can reproduce your setup in automated tests.
from django-ca.
However, I'm still hoping for more input so that I can reproduce your setup in automated tests.
Actually it is not very complicated. I created a root CA on CLI (without intermediaries). I then copied the CA cert available via URL to the OpenVPN server. When I added crl-verify for OpenVPN (crl is downloaded using cron), it always failed when connecting with a valid certificate. Actually it is related to the problem in #64.
OpenVPN validates the IDP using OpenSSL if it is present in the CRL. At least for me, it was not present or did not match in the root certificate and thus failed verification.
As the download happens in the background and blocking all connections because of an error in validation is not an option, it was better to remove the IDP extension from the CRL. In case OpenVPN would get a CRL that matches the CA but not the IDP, OpenVPN could not do anything to solve this (which IMHO is a minor issue with large consequences).
Sorry, my knowledge of certificate extensions is limited. This is the first time I work with more complex setups in x509. I was only using easyrsa before, which simply brings it down to only basic features of x509.
Thank you very much for your time and help! I could not contribute much to this change, the more I want to thank you for implementing everything!
from django-ca.
Hi Kevin,
Sorry, my knowledge of certificate extensions is limited. This is the first time I work with more complex setups in x509. I was only using easyrsa before, which simply brings it down to only basic features of x509.
No worries, that's what the author of such a software is here for. I'm glad I can help.
Actually it is not very complicated. ...
Can you please post the relevant configuration snippets from OpenVPN, client- and server side? Of course, please properly sanitize it and don't post private keys ;-). also are you downloading the client- or server CRL? I assume the former, but just to be sure (you can answer that question by posting the URL path, if you use a default provided view, or together with the view configuration).
Thanks very much for reporting the issue and for using django-ca!
kr, Mat
from django-ca.
closing due to lack of feedback. If you have any further issues @kevin-olbrich , please don't hesitate to file a new issue!
from django-ca.
Related Issues (20)
- REST api HOT 8
- ACME error HOT 5
- Configure OCSP response validity when using docker compose HOT 4
- Acme Disable new accounts HOT 4
- Parsing issues running init_ca HOT 2
- OCSP request for unknown cert received HOT 7
- Ability to sign certificate via configurable hook / external HSM HOT 14
- Smartcard Extension 1.3.6.1.4.1.311.25.2 support HOT 1
- The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce HOT 7
- failed to parse fullchain into cert and chain: less than 2 certificates in chain HOT 4
- ecc_curve in 'init_ca' command HOT 5
- acme clients not working, bad nonce HOT 7
- multiple SAN attributes not working HOT 3
- CA_PROFILES expiration time is ignored HOT 2
- TypeError: cannot pickle 'builtins.ObjectIdentifier' object HOT 3
- Config is not read HOT 2
- Generate CT Certificate Transparency logs HOT 2
- CA_DEFAULT_SUBJECT HOT 2
- Profiles - default, custom and command line HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-ca.