Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

T6896: OpenVPN change CRL revoke without restart #4245

Open
wants to merge 1 commit into
base: current
Choose a base branch
from

Conversation

HollyGurza
Copy link
Contributor

@HollyGurza HollyGurza commented Dec 20, 2024

Do not restart service when changed only CRL.
Service still restart when cert revoke first time

Change Summary

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

Proposed changes

How to test

server config:

conf
set interfaces dummy dum0 address '203.0.113.1/32'
set interfaces openvpn vtun10 encryption data-ciphers 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '203.0.113.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server client client2 ip '10.10.0.11'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '203.0.113.1'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'serv1'
set interfaces openvpn vtun10 tls certificate 'serv1'
set interfaces openvpn vtun10 tls dh-params 'dh'
set interfaces openvpn vtun10 tls tls-version-min '1.0'
set pki ca serv1 certificate 'MIIDoTCCAomgAwIBAgIUDB7GMbRHC3/Xuwz/ogjz7fZOm8gwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTAzN1oXDTI5MTIwMjA5NTAzN1owWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqACEiyk5ZwBB2zH7pKQU7GVr/0OBlaQ7mRPFMdt7YNaCb6Ww7mWBwdrww1Z9JZaZ2Sn7O5/tXln3E0EE7QJtGf/4JkV4F8le6dUXsjP2Bz/H5Fy30B/19Yw9k1no3q4yuce1ALEEZfbOpB+Q6caadVG/QD2pE/SPegWKNXC5RRs0PwqP+0po107Rn7Gt70BOgKTWkK4Wk9tpmUPZDbH/oaHGlsQgZ6Er1Z3k70BOryDF+/UbT7LKgBPJrXLzVMNpipdXs2W1Ty67iUuW7+ouVrDFv4hwNtfmYRXeSWh9Sg0zLdMg3c9QGv8FRhRfkjO+iA7cHr2+hOTpizzwxvqdOwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQBfckfDuCSYPZwGnNqo148Pj5I+hHEij9xRiUFV2RFr/z5jFSEqzI7jCUAyTX0m0ODU2yNl6STCVqiZIChMzSMMLNOEeq90xJZMr/DWK87xXNY9tqmF3Kg0pZ/xWajfBL2S1LCNv6tGFC81MpA0RL/RiUnuhq/zDNyWro/Y1DivzqO1jDYbHewUOogwj5Ou6ynnzRdlIZY+6C+juE7DWZbw0b0Hzm9EBplfs3PKYjX8fn+BuCrPSs45cl/8tUXDPwN+XdDSWfPEOHBImenXusP0Sv1VPoRXl3mjIgAs/nFa5T6qyXCteaEFn/zuj99N1USXJBm3QBV8U3eMGyQmLiSD'
set pki ca serv1 private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCoAISLKTlnAEHbMfukpBTsZWv/Q4GVpDuZE8Ux23tg1oJvpbDuZYHB2vDDVn0llpnZKfs7n+1eWfcTQQTtAm0Z//gmRXgXyV7p1ReyM/YHP8fkXLfQH/X1jD2TWejerjK5x7UAsQRl9s6kH5Dpxpp1Ub9APakT9I96BYo1cLlFGzQ/Co/7SmjXTtGfsa3vQE6ApNaQrhaT22mZQ9kNsf+hocaWxCBnoSvVneTvQE6vIMX79RtPssqAE8mtcvNUw2mKl1ezZbVPLruJS5bv6i5WsMW/iHA21+ZhFd5JaH1KDTMt0yDdz1Aa/wVGFF+SM76IDtwevb6E5OmLPPDG+p07AgMBAAECggEAT6szL6UEfiZelJpO2cQf0fzEqp/yJyrjQlPgSyTojMMcxuI9lcfYMTxouVFd9oHFAnlIlP1hvMEQDHbkZZqlb1N183w1F56cXmn5mz3N2aEy40Xeuxk089Ul7CcSaesUzgn4+VN4oPvaAXWgrGPMon76IXY8JGTw1y4iXPZQPYcDvZiUgvd7vRnTcoI7ZY06jWBB3qC2YNSacP7OFUuEdwWqj7yF1YnAggmZy85udXdQGd/u6IEFq11RH7UsIsC793JvrtJ7HjAW4oMLqSzz04kdosTkU9yHgzMD4qpf3CPe0mw0wS83usSKdZ4FniirdYc1In/10gjmfBmkH6rx1QKBgQDmzLNa2boA226LU/k+IeQO4CDMxZzvPNwNybU0It8nuVe22WPvLNzmpnPLsWlFEXxPaM/StrjkYKLf+PuhgsigNqiRQ17j6RKLAnacfWlTdLsbOqvGw5N1ffBnNDCW7MXxM08eRznlmRyatPKFqg/QPxNGRmITsq8YFhwtUh3sJwKBgQC6WICEKJHjHwYRBeRmQ+nN120y1gexdPK4dCz8xClU9+sXBbGQHheeN8JS0xNghOdj0jz86ReAg4G6sN48jnbmEv/nQbHzVbMsPhTeZ/AtPQOhgA0btehTSPZMWMYOrmaMDJq13AtLl98WKcBXYfZO3Vy+9qygzPUKZ8uG9K6uzQKBgQDROrlNnxv0Mvkf7dyB6w9oPN7/RBZk+3MyPK28ufA7ftZ5uNHTvYP0xOksu4SHTLa49neQun0a7FA7YugbHwjp1SMzrTOUwXJB+tW0QCz/r07//ExFQH+pf6Y0qSdzaup3IuCSvldKQWehCHDjo6v6SXQbvSqkWNRKraCVpV/i+QKBgFODNF2GPRN3pOVeKaU3TIImyNaemyYJjnnh/wNs+kUNMrvHnnNDOTx8KseptyZribPv1ctWv2SmCy7a805aXqjv3OYMSC8QulLao8mk9Tug+46Wb8l6ddtVeKRwqJqNyIF9aJyWOC2xq5YoMf43dgaUKGug627JTAxUxh7+a4cFAoGAXjzlCBzXZKDirXMMSwjUfch9UbPbDDd6rKeRWYfeE97bQMYvknayycy6HBScbxZPvm4PThNLeyxLMmCwjRxtgmRlmBtusqmo/siSgdHRSqji2GeT1hqW+leYrffXA9gYcRdr5WAvJmRm7R1KXrXFr3dmOfyLYTw6ADRwOks+QKg='
set pki certificate serv1 certificate 'MIIDtTCCAp2gAwIBAgIUQqv1khJjjUfMST0S7a+o4Ogye+MwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTQ0OVoXDTM0MTIwMTA5NTQ0OVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wxOwPH99GFgR8UUTwtS0peRVMp3JMBPedhUtCEfkpzL0fMsQOcVODoHjZ00DBa0RYEppeVrzbYpEbBUhergiqqZfYk/2oJqD232fw3wcxaHPRd6rjVSFvbahvQL3ubSxUWCGk53jyhSbwkk+/B/TgH0NWDaKSS01f5ynUfqYiElssPZ+ozGfacM5cEvHBHxsBu3PxhqkOZ3sBnj0tZ9MF9Xmtd9ZwhEk31rNEhKVblFAKx2LQBBbr17foV3j60xgwcBPiI6N5G9Ec8Jaf99IjP4x0WSKJ+ZreUhxx3FHFeKOTREOUksAR9iN4QF2BgQ6fbGHkSQUh2ZmUIhrDVprwIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUVrWI4aY4VveAw5PHOKBd2XnVNjAwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAEa5jQZNXzILsomBvpCO3Mu93zluS37KysJA/mk3a1uhTs5OVDbAVe/POT87bRL4W0VPDJHpb/nfh10lSCyykNV4SqPwDn3LIfBoLZeFmT9tHeyGfLQDs6ybdhEluSI8yDApi/tUIaDe+eObiO1v/zhZbsOmmZSzmNf4yVRP5PPgStfG1tymXZjW8UNjvxo71+1L2+mSNFmhXA8u0XA/xF4nFfYaBCCXyZJbgnZIiBXWTU9H1IMMZi5N8RS26Weg47ZYspndy1+Mnbuh3d8mScqi9NDR1wwuenVqE57mE+kerJ/cLKVBz0siCz2YPSOSjzl+vA2CzVAFtrw8dtndOX8='
set pki certificate serv1 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfDE7A8f30YWBHxRRPC1LSl5FUynckwE952FS0IR+SnMvR8yxA5xU4OgeNnTQMFrRFgSml5WvNtikRsFSF6uCKqpl9iT/agmoPbfZ/DfBzFoc9F3quNVIW9tqG9Ave5tLFRYIaTnePKFJvCST78H9OAfQ1YNopJLTV/nKdR+piISWyw9n6jMZ9pwzlwS8cEfGwG7c/GGqQ5newGePS1n0wX1ea131nCESTfWs0SEpVuUUArHYtAEFuvXt+hXePrTGDBwE+Ijo3kb0Rzwlp/30iM/jHRZIon5mt5SHHHcUcV4o5NEQ5SSwBH2I3hAXYGBDp9sYeRJBSHZmZQiGsNWmvAgMBAAECggEAQwCoe692ET5bNNQQCLqnE5nyT11OsxyOA1UoBMBagqlVVOlOpuSD7FMKR9EsfGEpoCNvxmUHoFETPzwP9/aZoy4iU6KyKsq4X5Ax1vLyAzCGSaTO9pwP39Qhyx5unnQKZrY9ofdmVPvQ34gIsyIIq/9MQ+inQGrFY+8+sN6Umws4WRdqpDSDkIR3YI2lSGvzWcB4nPp1EgnZajnwSm1H4cmVtDQjJv1fRcSiXqjJp+uH8w20ootLfn55QCglawu3jX9DA14mLxoAqtsEx3tdBPIM78byucozpUDIWtQF4jFOmUPFngieluiHqjCR3i5YLLRYsW6LmO0ZpGK8KHnmEQKBgQD58I6s172fdLowvqU+5CiRng0vP++22vnjx7nVLzjLYGVPTgEe2hguvR7DhxCFHk9Vsz3DQ7dKn0b2ga2An2FXiD2mayDoeeab2fV1GP7Hu1Rj3JTdesdYLNCRurebyHgvqgwJh+t+ws3WOCoKhkafceT3FDaSUFOusb+A0oEuKQKBgQDkdNOxSFKA/iHFyVcvODHVcayBjdvJHvetRs1U+GeH7V8dgvkY2aAs5Ami4zTT1hEwA2hva3od6ijaVaBaqPhmdCaR/WukTACeKF3oY/xshrR9V/kkSqRXGN1a2y0HHNN/TLeo0nGaXlTk8fEbklARFh7R8SMIEMkkm4n0icikFwKBgQDnfiLne7qpodeBplIu+euJU7YqeTFxT0f77NT12xLja5jp5vmqtZ2ITKndt49ZfEVGvwkJfgKaHwP+9QTaCMSD6jAPn1GPgLhSyYFKv6fbHmp/Q6KtsDZKONfE4geFRhvrKbiUa0t20L8NFl/593wZ2ceUASi6Q6P+Pat9iXsUYQKBgQCZX41XcbRiATrvLBKqEtHx+BTWDUTGq1GgNO5Y40OuT8ARcgKFmmUcfiOyBVNL/GUhlMgiNUeQmcm/esji1JmfPs8+J6KCdLvdckBJagbnXTADDnKm2K2oA3toKcj7A3FB/2E1p8K43iekZIF3/yxdrDoYvAjGu24uc3WUhIP9FQKBgCRBSpD+RvVq8l3PhVn5zxrLUfq/uedTtrqvdmsoLdteLXp4+D9CN6XlvHLwHpkKuWn4bq047ukKQ/xMyNWPWeYb/9UDWpaTU//DYSTOeaOtwX/goswIEUh3ciNvpc/ycaH6W3kl4dRMCcYtJEUmHS1qgsKaafKJ8+5IdCUkGzWW'
set pki certificate client1 certificate 'MIIDsDCCApigAwIBAgIUW7CQ38+tpuQuf7MOjLz+JfMS31cwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzEwNDcyN1oXDTM0MTIwMTEwNDcyN1owVDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAcMBkRuaXBybzENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM+I+gkuWqai3Y6lvbr8Ur4AHr3YpVAAEoDwTcHpoGndIsAeYzKN97ZxPi0sZfsa0GWsne37oyk3I6Fg5PZ2YiYjf/3HXH1u/MSlOFh7eiefE38w07VWFIJfBE7PoQA7xGupN5dOCw4Lcrx4ikw7E6nokpm8X+KcIMKb6yLzGtfEvUoTRrr61mUpglUpn5cK8juQob3t4NJ4UBm+kXcpGth5DB5VtRIEp9NPHgtUm0G1TFKsGFGChb9Dw02cfhLe9aJDpUHFPtLo9dZOI5IZXTcGj+ZEFHT8L0vCOQvIAlHNgWit4NmT+3NjD/R5AeiIxPK34Hc3WHnrZ0b5ign1sCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFBR5H5EQAoc015uVNxw9S+MjwlAAMB8GA1UdIwQYMBaAFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQCVBAggYFrEcoH04shxAh8j1dfi35K/Tl9wZ1i/NxLG8kG9vpUeoBAYV+lkyBsR7hM6y+MO1gT7VPrgtE+Q/UMaWdYvzBuqbdSapoGeZp0ijP5tyJQEre7J3mne7YRExgv3Q38EvCeuLeMc8DVcH0jN5GQEXG79nx1y1uumlWNTjpiXxIlsAcGEwxMBNpWmKnTcMtSVrrbHaRgecfBLu3huuJsRrCQ9BWyDZQfPSf2Oo8T8THaN2l1JITK56UmGWdDL+V8LXT1uSHRZsATpeCGCSaJQdaa6107HlstqEN42n1g1tOMBrc8eXN9YE7Jzm8xbNJPBRg9V+Zd93XyhV8bF'
set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCjDPiPoJLlqmot2Opb26/FK+AB692KVQABKA8E3B6aBp3SLAHmMyjfe2cT4tLGX7GtBlrJ3t+6MpNyOhYOT2dmImI3/9x1x9bvzEpThYe3onnxN/MNO1VhSCXwROz6EAO8RrqTeXTgsOC3K8eIpMOxOp6JKZvF/inCDCm+si8xrXxL1KE0a6+tZlKYJVKZ+XCvI7kKG97eDSeFAZvpF3KRrYeQweVbUSBKfTTx4LVJtBtUxSrBhRgoW/Q8NNnH4S3vWiQ6VBxT7S6PXWTiOSGV03Bo/mRBR0/C9LwjkLyAJRzYForeDZk/tzYw/0eQHoiMTyt+B3N1h562dG+YoJ9bAgMBAAECggEABENXDl5K6PFTNF6rBfrQ9i1G/pXdpXvCc8VJ2z0sGafZoYCgDhZBV9KAp+7yxtgCq7zyS7vlipc+7qohIH+n+u4kNkWczIGMl5l2SgfAPCdl2840LyDhgxkhUM5kicc4achJoYh361YEkhV1cpeoPC6FrZ1mYr9Z9SZfQwqinEBbsOOej520epa45WVEXNFZztGGV57Zb7565z3Ajdgx06ZT6Z7eccgfvbKbrGUlsXAXAz4yfW4kAqK0AwQcs/PKJ1f3RCEqqYS74s24lhBzGoAr8V4OD2IW9e+f996jxdRrswBO/WSxAMfkiYx9aFfWyxIBVlmDZfI7ALyhdY2dMQKBgQDmAiMH4+dcsvB2VKNzzBXzyPgICw0tQI/zpJFTadOl+WYomlKWoFkumRLyq2C26f1USvND98uYnQUjNFN4DHuNYLxYT58p1UzHMedm3kq0BGp4j3Ba861dCLOemUMlE0gyU51z2rxyQ+BpU8s00dWgaWOrMOTIC25FR4T0xmx6awKBgQC1edRXngRFyYBSH8ahnI3co++bnDMQi8wjtVAeIJTmF1Jq2QkIQ89z7GBq6YYuPpRF58y2XN2pj0QxqTdBTV0YbqBlChdcBPROoit1C8UExSL7WtzILFZK3utyoBmA8eBZFiN751oOoqloxgrFJ21ECDUFSmTRSzpzD4W/qvmK0QKBgAWa1bmyfwfOQHfRti3zMjG/mvOvOUH6Ccf5IaVztbmcqzWgFRUgkSvGhSSusmuipg6wyN7GIgr1AJQMCWCqhTQ7wDsyrYE6dmWAPNBP6Ggcl2+apzVALOBQfvgFahJ0NtUrHnIdSWxLZSOL7C68UkVXbBtW1KxfQu+jP4UrdKdDAoGALxlUa/z93OLkI+xNUApiox4FBNzwP94YeDgJeBg6rNDmugZkGroGsG5rw7Oh+ISTVOVJMxc9DFG7gCwLxC4A+GNVy4Nn9qDuiy35m2IXmxpS7utxG56uMrZSYyh8FgQwls5xHSo5LE05LJEhoHOQHzUGFb5uFgexPsWLj+ge5dECgYAWoi5vKCJWm4/t6A0W8HCEPCBXO7/MIeA2HrZ7ofrL6Bp/fDJSWqs10ZCcPVoy9sdIgAI1blHGWosLE9bRfx2DKn44igdCuSho/xJXhsjyJTpArD91UD7gdeRkZ2GqYJi9vdI+TBI3PsvWQ8F+jlShSD1EGmPvqF8twBaB71PMdw=='
set pki certificate client2 certificate 'MIIDrDCCApSgAwIBAgIUXHMRePv7otpZJNn8BFu3nozF2kIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzExMTA0M1oXDTM0MTIwMTExMTA0M1owUDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7VXZpMkr/Rnd+q0opUR4XNdHaaa2tH+ZVqt97gCIowjAYXJWY9RoPkmpl3DageLED7Rsk94oXjgXFkM05sUjfNytsD12Om1JpyKVD8FFtCOvB790SV4L6KWwSLMfUlzlqCeHnUzrySjLL60MQSBpzGl5o954l51wG23tkWm+QAk73K+gSkRDy/EpalUupqbikEdZRCZH+2ueqAKiBm56lr90f5pzJ3r9hU7+7W+ZYxPgtwL4mZbL/U9vNDGA2CXy+94Tibo46gNQam+UvTfD2vIocaMOVPCK2ifN2gTyCLxzSfeN8zMnQTixvYKjlNm2OZmXy+/U8FsLEA7S76jG6QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQURMwJZKBFhwtK5wWUwKbtIaFsD3gwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAGzOEpY/Z33V3lbN9/9MxuO7ktQuKnr0h+DHLzjjisCYzVNrP4s8bMdQFk19Xu+OMef0uMaMwRZ/hMoPTmEaLXDTyENTflWWZn5K79jSsqVPt0HMThuoZAX9PFc3LzRFDv5zCII62kiBUMiPZH+J+fKMCKd+ObiYoLJvDUaJzrO4Nk/vSHWkEE3JVeqRyWt6oaNtCkvWw+HQZ9Qc8nSO+tTvt6daftHqKCE3ORl3V1ypXHjD0iKv1lUafdzwLwKdxZNXYv6gfPwwzAthBslT5u8ckFfWKLsqkEeQKNusiqjXieMvoJfoCD7EFY3WPqmk4DXSHUOpvglt5Xckux2wuTQ='
set pki certificate client2 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtVdmkySv9Gd36rSilRHhc10dppra0f5lWq33uAIijCMBhclZj1Gg+SamXcNqB4sQPtGyT3iheOBcWQzTmxSN83K2wPXY6bUmnIpUPwUW0I68Hv3RJXgvopbBIsx9SXOWoJ4edTOvJKMsvrQxBIGnMaXmj3niXnXAbbe2Rab5ACTvcr6BKREPL8SlqVS6mpuKQR1lEJkf7a56oAqIGbnqWv3R/mnMnev2FTv7tb5ljE+C3AviZlsv9T280MYDYJfL73hOJujjqA1Bqb5S9N8Pa8ihxow5U8IraJ83aBPIIvHNJ943zMydBOLG9gqOU2bY5mZfL79TwWwsQDtLvqMbpAgMBAAECggEAY+1NHWIsWL0u5tBIeEk7ak+j/Dpa2+WLoN/EvlRQM2DIa18SO6cfmvY15xL3lU9uoHQlcR7NHVp9cfyrBe0EE5rwsG84W8JPDAV2AHOuTvnlRJxaMFfeKL62We29JtcBRQsbwOG1tvUrk6/HJJaqpQvV0OanHKMHpCzlJWAB4ACTtGJ2GgwcMnzJ3mKjBZOH/k3HzK7AnUeEmJq/pTp1n6kXwD7p2+GzwZkTzSi70r7LDWOR+i9R0ly6rkqTUoyWZCxTptVy47bCpdQv9pyCA2sPPUVGlXxM+WxaF5kvgbTKqesvDOqFdubC43VQcKdwXL/WiVp4OsrGfFlO9/8GZwKBgQD5cmkYxylCk4LeCwtNJzfwFjVQYS+vWjRwnbi4clhhnMBJLe4cGloybPvejnGxWDGE3v9dmeZoFBh1nkILathoZhclgeh9d1GkgioDxnrjbdz7G6UGBtLX6esPra8vZn41Jq4NgvXCGmCZr1QIlGfPZpPpsKm6MlqpbdHpGhsauwKBgQDzkfyLsQvCbdiwz7H/vZjbm/VzGwW5omNPRW89AcwG6Xw/+0w2408Z1w3XuJWzf9OdLeLL8durg29YTMsgc+ea12/X1SA1e74tzloP8o3L7ZSpvXgj5haDjlB7D1OADyBVR1rg+/tyYKoR68BOP7bbXDK5fjIVLrlAoxH4JrkEqwKBgCeYjKw9OQRza+uZLzMRDaUTsWTP+ITKOdbCgobsx7C+9BrpqolVeYnVmOmMDOoMyNeBmmGeQ1+0COnqtCshy7ZOtk/i3ifEX/ZQHyE4SVt+nfxSOBDL1n4liIWVmWBZ0aDYQfqtFhu4mirrFNjDzfKzIrmOrHJ8+b05TH/HABRvAoGBANmbSKyo3V+0cc7tkBJymjlBqdVPhBroOJ9e4lX34Acg3G/xHJNBG69zUZuz/pLilfWsRB5/Ewm1oGmcGjIBOx88cGC8uUzvI+aaoB31Tretp47KhqZT7zNTlxWKiMg1O2bVHB07Itd6AxeFr0Z5Z+2s/mh4lVgVaU6VIf244r2HAoGBAJNwTg2srlQlBr0LiUy0ij8SsdbGSsIwVymMuuFUFt7Z2PE6e6AGG4jOBFJzW6iSbkG2+8GXRrBNMX69nrYfrYNMIjO1P9PGRfgbM8nHUnPW3PlB4KYEzxChkUYu5kbVm3EzBjlM66fNrFP86SzExLj5Pqp2CrfXF2nnAC1KPffV'
set pki dh dh parameters 'MIIBCAKCAQEA+1eL8L4DAmniAvmBG1AAgHqCzYjF7zt+ES+L2reSo4RFRcqvZ1zWpHB6wmB5KFZ6na4qhyHbqfNckK2PQnqI4fSvahSzsxY9PaknzPiXM+Oyc8Kqw7VSa6ywraTDOwNMfoF1UxsT8ISo5mmeSmzGXtxHwjlkBOhJU7sdjImbiMJ6nhxTx1+GoAU3V9LxgwFLeEZNRZRfflJU6SWmLSMf6mDaTYVPym5DaMoam+/cGVLquEnXFroc7CeSJQ8QLGcKSUTiw1j7QRFg5a47wVYH43+8uKHHIlWmGfmY76Kj+DYiO3LE52wOeeiWafWRPR5PtqbgBEJIiBmTgfOEAyPIFwIBAg=='
commit

client config:

set interfaces openvpn vtun10 encryption data-ciphers 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 remote-host '203.0.113.1'
set interfaces openvpn vtun10 tls ca-certificate 'ca'
set interfaces openvpn vtun10 tls certificate 'client2'
set pki ca ca certificate 'MIIDoTCCAomgAwIBAgIUDB7GMbRHC3/Xuwz/ogjz7fZOm8gwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTAzN1oXDTI5MTIwMjA5NTAzN1owWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqACEiyk5ZwBB2zH7pKQU7GVr/0OBlaQ7mRPFMdt7YNaCb6Ww7mWBwdrww1Z9JZaZ2Sn7O5/tXln3E0EE7QJtGf/4JkV4F8le6dUXsjP2Bz/H5Fy30B/19Yw9k1no3q4yuce1ALEEZfbOpB+Q6caadVG/QD2pE/SPegWKNXC5RRs0PwqP+0po107Rn7Gt70BOgKTWkK4Wk9tpmUPZDbH/oaHGlsQgZ6Er1Z3k70BOryDF+/UbT7LKgBPJrXLzVMNpipdXs2W1Ty67iUuW7+ouVrDFv4hwNtfmYRXeSWh9Sg0zLdMg3c9QGv8FRhRfkjO+iA7cHr2+hOTpizzwxvqdOwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQBfckfDuCSYPZwGnNqo148Pj5I+hHEij9xRiUFV2RFr/z5jFSEqzI7jCUAyTX0m0ODU2yNl6STCVqiZIChMzSMMLNOEeq90xJZMr/DWK87xXNY9tqmF3Kg0pZ/xWajfBL2S1LCNv6tGFC81MpA0RL/RiUnuhq/zDNyWro/Y1DivzqO1jDYbHewUOogwj5Ou6ynnzRdlIZY+6C+juE7DWZbw0b0Hzm9EBplfs3PKYjX8fn+BuCrPSs45cl/8tUXDPwN+XdDSWfPEOHBImenXusP0Sv1VPoRXl3mjIgAs/nFa5T6qyXCteaEFn/zuj99N1USXJBm3QBV8U3eMGyQmLiSD'
set pki certificate client2 certificate 'MIIDrDCCApSgAwIBAgIUXHMRePv7otpZJNn8BFu3nozF2kIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzExMTA0M1oXDTM0MTIwMTExMTA0M1owUDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7VXZpMkr/Rnd+q0opUR4XNdHaaa2tH+ZVqt97gCIowjAYXJWY9RoPkmpl3DageLED7Rsk94oXjgXFkM05sUjfNytsD12Om1JpyKVD8FFtCOvB790SV4L6KWwSLMfUlzlqCeHnUzrySjLL60MQSBpzGl5o954l51wG23tkWm+QAk73K+gSkRDy/EpalUupqbikEdZRCZH+2ueqAKiBm56lr90f5pzJ3r9hU7+7W+ZYxPgtwL4mZbL/U9vNDGA2CXy+94Tibo46gNQam+UvTfD2vIocaMOVPCK2ifN2gTyCLxzSfeN8zMnQTixvYKjlNm2OZmXy+/U8FsLEA7S76jG6QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQURMwJZKBFhwtK5wWUwKbtIaFsD3gwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAGzOEpY/Z33V3lbN9/9MxuO7ktQuKnr0h+DHLzjjisCYzVNrP4s8bMdQFk19Xu+OMef0uMaMwRZ/hMoPTmEaLXDTyENTflWWZn5K79jSsqVPt0HMThuoZAX9PFc3LzRFDv5zCII62kiBUMiPZH+J+fKMCKd+ObiYoLJvDUaJzrO4Nk/vSHWkEE3JVeqRyWt6oaNtCkvWw+HQZ9Qc8nSO+tTvt6daftHqKCE3ORl3V1ypXHjD0iKv1lUafdzwLwKdxZNXYv6gfPwwzAthBslT5u8ckFfWKLsqkEeQKNusiqjXieMvoJfoCD7EFY3WPqmk4DXSHUOpvglt5Xckux2wuTQ='
set pki certificate client2 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtVdmkySv9Gd36rSilRHhc10dppra0f5lWq33uAIijCMBhclZj1Gg+SamXcNqB4sQPtGyT3iheOBcWQzTmxSN83K2wPXY6bUmnIpUPwUW0I68Hv3RJXgvopbBIsx9SXOWoJ4edTOvJKMsvrQxBIGnMaXmj3niXnXAbbe2Rab5ACTvcr6BKREPL8SlqVS6mpuKQR1lEJkf7a56oAqIGbnqWv3R/mnMnev2FTv7tb5ljE+C3AviZlsv9T280MYDYJfL73hOJujjqA1Bqb5S9N8Pa8ihxow5U8IraJ83aBPIIvHNJ943zMydBOLG9gqOU2bY5mZfL79TwWwsQDtLvqMbpAgMBAAECggEAY+1NHWIsWL0u5tBIeEk7ak+j/Dpa2+WLoN/EvlRQM2DIa18SO6cfmvY15xL3lU9uoHQlcR7NHVp9cfyrBe0EE5rwsG84W8JPDAV2AHOuTvnlRJxaMFfeKL62We29JtcBRQsbwOG1tvUrk6/HJJaqpQvV0OanHKMHpCzlJWAB4ACTtGJ2GgwcMnzJ3mKjBZOH/k3HzK7AnUeEmJq/pTp1n6kXwD7p2+GzwZkTzSi70r7LDWOR+i9R0ly6rkqTUoyWZCxTptVy47bCpdQv9pyCA2sPPUVGlXxM+WxaF5kvgbTKqesvDOqFdubC43VQcKdwXL/WiVp4OsrGfFlO9/8GZwKBgQD5cmkYxylCk4LeCwtNJzfwFjVQYS+vWjRwnbi4clhhnMBJLe4cGloybPvejnGxWDGE3v9dmeZoFBh1nkILathoZhclgeh9d1GkgioDxnrjbdz7G6UGBtLX6esPra8vZn41Jq4NgvXCGmCZr1QIlGfPZpPpsKm6MlqpbdHpGhsauwKBgQDzkfyLsQvCbdiwz7H/vZjbm/VzGwW5omNPRW89AcwG6Xw/+0w2408Z1w3XuJWzf9OdLeLL8durg29YTMsgc+ea12/X1SA1e74tzloP8o3L7ZSpvXgj5haDjlB7D1OADyBVR1rg+/tyYKoR68BOP7bbXDK5fjIVLrlAoxH4JrkEqwKBgCeYjKw9OQRza+uZLzMRDaUTsWTP+ITKOdbCgobsx7C+9BrpqolVeYnVmOmMDOoMyNeBmmGeQ1+0COnqtCshy7ZOtk/i3ifEX/ZQHyE4SVt+nfxSOBDL1n4liIWVmWBZ0aDYQfqtFhu4mirrFNjDzfKzIrmOrHJ8+b05TH/HABRvAoGBANmbSKyo3V+0cc7tkBJymjlBqdVPhBroOJ9e4lX34Acg3G/xHJNBG69zUZuz/pLilfWsRB5/Ewm1oGmcGjIBOx88cGC8uUzvI+aaoB31Tretp47KhqZT7zNTlxWKiMg1O2bVHB07Itd6AxeFr0Z5Z+2s/mh4lVgVaU6VIf244r2HAoGBAJNwTg2srlQlBr0LiUy0ij8SsdbGSsIwVymMuuFUFt7Z2PE6e6AGG4jOBFJzW6iSbkG2+8GXRrBNMX69nrYfrYNMIjO1P9PGRfgbM8nHUnPW3PlB4KYEzxChkUYu5kbVm3EzBjlM66fNrFP86SzExLj5Pqp2CrfXF2nnAC1KPffV'

set protocols static route 203.0.113.1/32 next-hop 10.0.0.1
commit

create two clients and try to revoke certificates:

set pki certificate client1 revoke
run generate pki crl ca install
commit

As summary:

configured a server and 2 clients, connected both
revoked the first certificate - there was a restart, and both connecton dropped out
tried to reconnect, only one connected because the second certificate was revoked
revoked another certificate - without a restart, the connection is still active
tried to reconnect from the client - unsuccessfully because the certificate has already been revoked
both clients with revoked certificates do not connect

Smoketest result

vyos@vyos:~$ python3 /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py 
test_openvpn_client_interfaces (__main__.TestInterfacesOpenVPN.test_openvpn_client_interfaces) ... ok
test_openvpn_client_ip_version (__main__.TestInterfacesOpenVPN.test_openvpn_client_ip_version) ... ok
test_openvpn_client_verify (__main__.TestInterfacesOpenVPN.test_openvpn_client_verify) ... ok
test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options) ... ok
test_openvpn_server_ip_version (__main__.TestInterfacesOpenVPN.test_openvpn_server_ip_version) ... ok
test_openvpn_server_server_bridge (__main__.TestInterfacesOpenVPN.test_openvpn_server_server_bridge) ... ok
test_openvpn_server_subnet_topology (__main__.TestInterfacesOpenVPN.test_openvpn_server_subnet_topology) ... ok
test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) ... ok
test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun) ... ok
test_openvpn_site2site_ip_version (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_ip_version) ... ok
test_openvpn_site2site_verify (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_verify) ... ok

----------------------------------------------------------------------
Ran 11 tests in 136.387s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

Do not restart service when changed only CRL.
Service still restart when cert revoke first time
Copy link

github-actions bot commented Dec 20, 2024

👍
No issues in PR Title / Commit Title

Copy link

CI integration ❌ failed!

Details

CI logs

  • CLI Smoketests (no interfaces) ❌ failed
  • CLI Smoketests (interfaces only) ❌ failed
  • Config tests ❌ failed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

@sever-sever
Copy link
Member

sever-sever commented Dec 20, 2024

After applying these changes, clients cannot connect anymore if I revoke only client1
The clients client2 and client3 also cannot connect:

VyOS config:

set interfaces openvpn vtun10 encryption data-ciphers 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '203.0.113.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server client client2 ip '10.10.0.11'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '203.0.113.1'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'ca'
set interfaces openvpn vtun10 tls certificate 'cert'
set interfaces openvpn vtun10 tls dh-params 'dh'
set interfaces openvpn vtun10 tls tls-version-min '1.0'
set pki ca ca certificate 'MIIDoTCCAomgAwIBAgIUDB7GMbRHC3/Xuwz/ogjz7fZOm8gwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTAzN1oXDTI5MTIwMjA5NTAzN1owWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqACEiyk5ZwBB2zH7pKQU7GVr/0OBlaQ7mRPFMdt7YNaCb6Ww7mWBwdrww1Z9JZaZ2Sn7O5/tXln3E0EE7QJtGf/4JkV4F8le6dUXsjP2Bz/H5Fy30B/19Yw9k1no3q4yuce1ALEEZfbOpB+Q6caadVG/QD2pE/SPegWKNXC5RRs0PwqP+0po107Rn7Gt70BOgKTWkK4Wk9tpmUPZDbH/oaHGlsQgZ6Er1Z3k70BOryDF+/UbT7LKgBPJrXLzVMNpipdXs2W1Ty67iUuW7+ouVrDFv4hwNtfmYRXeSWh9Sg0zLdMg3c9QGv8FRhRfkjO+iA7cHr2+hOTpizzwxvqdOwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQBfckfDuCSYPZwGnNqo148Pj5I+hHEij9xRiUFV2RFr/z5jFSEqzI7jCUAyTX0m0ODU2yNl6STCVqiZIChMzSMMLNOEeq90xJZMr/DWK87xXNY9tqmF3Kg0pZ/xWajfBL2S1LCNv6tGFC81MpA0RL/RiUnuhq/zDNyWro/Y1DivzqO1jDYbHewUOogwj5Ou6ynnzRdlIZY+6C+juE7DWZbw0b0Hzm9EBplfs3PKYjX8fn+BuCrPSs45cl/8tUXDPwN+XdDSWfPEOHBImenXusP0Sv1VPoRXl3mjIgAs/nFa5T6qyXCteaEFn/zuj99N1USXJBm3QBV8U3eMGyQmLiSD'
set pki ca ca private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCoAISLKTlnAEHbMfukpBTsZWv/Q4GVpDuZE8Ux23tg1oJvpbDuZYHB2vDDVn0llpnZKfs7n+1eWfcTQQTtAm0Z//gmRXgXyV7p1ReyM/YHP8fkXLfQH/X1jD2TWejerjK5x7UAsQRl9s6kH5Dpxpp1Ub9APakT9I96BYo1cLlFGzQ/Co/7SmjXTtGfsa3vQE6ApNaQrhaT22mZQ9kNsf+hocaWxCBnoSvVneTvQE6vIMX79RtPssqAE8mtcvNUw2mKl1ezZbVPLruJS5bv6i5WsMW/iHA21+ZhFd5JaH1KDTMt0yDdz1Aa/wVGFF+SM76IDtwevb6E5OmLPPDG+p07AgMBAAECggEAT6szL6UEfiZelJpO2cQf0fzEqp/yJyrjQlPgSyTojMMcxuI9lcfYMTxouVFd9oHFAnlIlP1hvMEQDHbkZZqlb1N183w1F56cXmn5mz3N2aEy40Xeuxk089Ul7CcSaesUzgn4+VN4oPvaAXWgrGPMon76IXY8JGTw1y4iXPZQPYcDvZiUgvd7vRnTcoI7ZY06jWBB3qC2YNSacP7OFUuEdwWqj7yF1YnAggmZy85udXdQGd/u6IEFq11RH7UsIsC793JvrtJ7HjAW4oMLqSzz04kdosTkU9yHgzMD4qpf3CPe0mw0wS83usSKdZ4FniirdYc1In/10gjmfBmkH6rx1QKBgQDmzLNa2boA226LU/k+IeQO4CDMxZzvPNwNybU0It8nuVe22WPvLNzmpnPLsWlFEXxPaM/StrjkYKLf+PuhgsigNqiRQ17j6RKLAnacfWlTdLsbOqvGw5N1ffBnNDCW7MXxM08eRznlmRyatPKFqg/QPxNGRmITsq8YFhwtUh3sJwKBgQC6WICEKJHjHwYRBeRmQ+nN120y1gexdPK4dCz8xClU9+sXBbGQHheeN8JS0xNghOdj0jz86ReAg4G6sN48jnbmEv/nQbHzVbMsPhTeZ/AtPQOhgA0btehTSPZMWMYOrmaMDJq13AtLl98WKcBXYfZO3Vy+9qygzPUKZ8uG9K6uzQKBgQDROrlNnxv0Mvkf7dyB6w9oPN7/RBZk+3MyPK28ufA7ftZ5uNHTvYP0xOksu4SHTLa49neQun0a7FA7YugbHwjp1SMzrTOUwXJB+tW0QCz/r07//ExFQH+pf6Y0qSdzaup3IuCSvldKQWehCHDjo6v6SXQbvSqkWNRKraCVpV/i+QKBgFODNF2GPRN3pOVeKaU3TIImyNaemyYJjnnh/wNs+kUNMrvHnnNDOTx8KseptyZribPv1ctWv2SmCy7a805aXqjv3OYMSC8QulLao8mk9Tug+46Wb8l6ddtVeKRwqJqNyIF9aJyWOC2xq5YoMf43dgaUKGug627JTAxUxh7+a4cFAoGAXjzlCBzXZKDirXMMSwjUfch9UbPbDDd6rKeRWYfeE97bQMYvknayycy6HBScbxZPvm4PThNLeyxLMmCwjRxtgmRlmBtusqmo/siSgdHRSqji2GeT1hqW+leYrffXA9gYcRdr5WAvJmRm7R1KXrXFr3dmOfyLYTw6ADRwOks+QKg='
set pki certificate cert certificate 'MIIDtTCCAp2gAwIBAgIUQqv1khJjjUfMST0S7a+o4Ogye+MwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTQ0OVoXDTM0MTIwMTA5NTQ0OVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wxOwPH99GFgR8UUTwtS0peRVMp3JMBPedhUtCEfkpzL0fMsQOcVODoHjZ00DBa0RYEppeVrzbYpEbBUhergiqqZfYk/2oJqD232fw3wcxaHPRd6rjVSFvbahvQL3ubSxUWCGk53jyhSbwkk+/B/TgH0NWDaKSS01f5ynUfqYiElssPZ+ozGfacM5cEvHBHxsBu3PxhqkOZ3sBnj0tZ9MF9Xmtd9ZwhEk31rNEhKVblFAKx2LQBBbr17foV3j60xgwcBPiI6N5G9Ec8Jaf99IjP4x0WSKJ+ZreUhxx3FHFeKOTREOUksAR9iN4QF2BgQ6fbGHkSQUh2ZmUIhrDVprwIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUVrWI4aY4VveAw5PHOKBd2XnVNjAwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAEa5jQZNXzILsomBvpCO3Mu93zluS37KysJA/mk3a1uhTs5OVDbAVe/POT87bRL4W0VPDJHpb/nfh10lSCyykNV4SqPwDn3LIfBoLZeFmT9tHeyGfLQDs6ybdhEluSI8yDApi/tUIaDe+eObiO1v/zhZbsOmmZSzmNf4yVRP5PPgStfG1tymXZjW8UNjvxo71+1L2+mSNFmhXA8u0XA/xF4nFfYaBCCXyZJbgnZIiBXWTU9H1IMMZi5N8RS26Weg47ZYspndy1+Mnbuh3d8mScqi9NDR1wwuenVqE57mE+kerJ/cLKVBz0siCz2YPSOSjzl+vA2CzVAFtrw8dtndOX8='
set pki certificate cert private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfDE7A8f30YWBHxRRPC1LSl5FUynckwE952FS0IR+SnMvR8yxA5xU4OgeNnTQMFrRFgSml5WvNtikRsFSF6uCKqpl9iT/agmoPbfZ/DfBzFoc9F3quNVIW9tqG9Ave5tLFRYIaTnePKFJvCST78H9OAfQ1YNopJLTV/nKdR+piISWyw9n6jMZ9pwzlwS8cEfGwG7c/GGqQ5newGePS1n0wX1ea131nCESTfWs0SEpVuUUArHYtAEFuvXt+hXePrTGDBwE+Ijo3kb0Rzwlp/30iM/jHRZIon5mt5SHHHcUcV4o5NEQ5SSwBH2I3hAXYGBDp9sYeRJBSHZmZQiGsNWmvAgMBAAECggEAQwCoe692ET5bNNQQCLqnE5nyT11OsxyOA1UoBMBagqlVVOlOpuSD7FMKR9EsfGEpoCNvxmUHoFETPzwP9/aZoy4iU6KyKsq4X5Ax1vLyAzCGSaTO9pwP39Qhyx5unnQKZrY9ofdmVPvQ34gIsyIIq/9MQ+inQGrFY+8+sN6Umws4WRdqpDSDkIR3YI2lSGvzWcB4nPp1EgnZajnwSm1H4cmVtDQjJv1fRcSiXqjJp+uH8w20ootLfn55QCglawu3jX9DA14mLxoAqtsEx3tdBPIM78byucozpUDIWtQF4jFOmUPFngieluiHqjCR3i5YLLRYsW6LmO0ZpGK8KHnmEQKBgQD58I6s172fdLowvqU+5CiRng0vP++22vnjx7nVLzjLYGVPTgEe2hguvR7DhxCFHk9Vsz3DQ7dKn0b2ga2An2FXiD2mayDoeeab2fV1GP7Hu1Rj3JTdesdYLNCRurebyHgvqgwJh+t+ws3WOCoKhkafceT3FDaSUFOusb+A0oEuKQKBgQDkdNOxSFKA/iHFyVcvODHVcayBjdvJHvetRs1U+GeH7V8dgvkY2aAs5Ami4zTT1hEwA2hva3od6ijaVaBaqPhmdCaR/WukTACeKF3oY/xshrR9V/kkSqRXGN1a2y0HHNN/TLeo0nGaXlTk8fEbklARFh7R8SMIEMkkm4n0icikFwKBgQDnfiLne7qpodeBplIu+euJU7YqeTFxT0f77NT12xLja5jp5vmqtZ2ITKndt49ZfEVGvwkJfgKaHwP+9QTaCMSD6jAPn1GPgLhSyYFKv6fbHmp/Q6KtsDZKONfE4geFRhvrKbiUa0t20L8NFl/593wZ2ceUASi6Q6P+Pat9iXsUYQKBgQCZX41XcbRiATrvLBKqEtHx+BTWDUTGq1GgNO5Y40OuT8ARcgKFmmUcfiOyBVNL/GUhlMgiNUeQmcm/esji1JmfPs8+J6KCdLvdckBJagbnXTADDnKm2K2oA3toKcj7A3FB/2E1p8K43iekZIF3/yxdrDoYvAjGu24uc3WUhIP9FQKBgCRBSpD+RvVq8l3PhVn5zxrLUfq/uedTtrqvdmsoLdteLXp4+D9CN6XlvHLwHpkKuWn4bq047ukKQ/xMyNWPWeYb/9UDWpaTU//DYSTOeaOtwX/goswIEUh3ciNvpc/ycaH6W3kl4dRMCcYtJEUmHS1qgsKaafKJ8+5IdCUkGzWW'
set pki certificate client1 certificate 'MIIDsDCCApigAwIBAgIUW7CQ38+tpuQuf7MOjLz+JfMS31cwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzEwNDcyN1oXDTM0MTIwMTEwNDcyN1owVDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAcMBkRuaXBybzENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM+I+gkuWqai3Y6lvbr8Ur4AHr3YpVAAEoDwTcHpoGndIsAeYzKN97ZxPi0sZfsa0GWsne37oyk3I6Fg5PZ2YiYjf/3HXH1u/MSlOFh7eiefE38w07VWFIJfBE7PoQA7xGupN5dOCw4Lcrx4ikw7E6nokpm8X+KcIMKb6yLzGtfEvUoTRrr61mUpglUpn5cK8juQob3t4NJ4UBm+kXcpGth5DB5VtRIEp9NPHgtUm0G1TFKsGFGChb9Dw02cfhLe9aJDpUHFPtLo9dZOI5IZXTcGj+ZEFHT8L0vCOQvIAlHNgWit4NmT+3NjD/R5AeiIxPK34Hc3WHnrZ0b5ign1sCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFBR5H5EQAoc015uVNxw9S+MjwlAAMB8GA1UdIwQYMBaAFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQCVBAggYFrEcoH04shxAh8j1dfi35K/Tl9wZ1i/NxLG8kG9vpUeoBAYV+lkyBsR7hM6y+MO1gT7VPrgtE+Q/UMaWdYvzBuqbdSapoGeZp0ijP5tyJQEre7J3mne7YRExgv3Q38EvCeuLeMc8DVcH0jN5GQEXG79nx1y1uumlWNTjpiXxIlsAcGEwxMBNpWmKnTcMtSVrrbHaRgecfBLu3huuJsRrCQ9BWyDZQfPSf2Oo8T8THaN2l1JITK56UmGWdDL+V8LXT1uSHRZsATpeCGCSaJQdaa6107HlstqEN42n1g1tOMBrc8eXN9YE7Jzm8xbNJPBRg9V+Zd93XyhV8bF'
set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCjDPiPoJLlqmot2Opb26/FK+AB692KVQABKA8E3B6aBp3SLAHmMyjfe2cT4tLGX7GtBlrJ3t+6MpNyOhYOT2dmImI3/9x1x9bvzEpThYe3onnxN/MNO1VhSCXwROz6EAO8RrqTeXTgsOC3K8eIpMOxOp6JKZvF/inCDCm+si8xrXxL1KE0a6+tZlKYJVKZ+XCvI7kKG97eDSeFAZvpF3KRrYeQweVbUSBKfTTx4LVJtBtUxSrBhRgoW/Q8NNnH4S3vWiQ6VBxT7S6PXWTiOSGV03Bo/mRBR0/C9LwjkLyAJRzYForeDZk/tzYw/0eQHoiMTyt+B3N1h562dG+YoJ9bAgMBAAECggEABENXDl5K6PFTNF6rBfrQ9i1G/pXdpXvCc8VJ2z0sGafZoYCgDhZBV9KAp+7yxtgCq7zyS7vlipc+7qohIH+n+u4kNkWczIGMl5l2SgfAPCdl2840LyDhgxkhUM5kicc4achJoYh361YEkhV1cpeoPC6FrZ1mYr9Z9SZfQwqinEBbsOOej520epa45WVEXNFZztGGV57Zb7565z3Ajdgx06ZT6Z7eccgfvbKbrGUlsXAXAz4yfW4kAqK0AwQcs/PKJ1f3RCEqqYS74s24lhBzGoAr8V4OD2IW9e+f996jxdRrswBO/WSxAMfkiYx9aFfWyxIBVlmDZfI7ALyhdY2dMQKBgQDmAiMH4+dcsvB2VKNzzBXzyPgICw0tQI/zpJFTadOl+WYomlKWoFkumRLyq2C26f1USvND98uYnQUjNFN4DHuNYLxYT58p1UzHMedm3kq0BGp4j3Ba861dCLOemUMlE0gyU51z2rxyQ+BpU8s00dWgaWOrMOTIC25FR4T0xmx6awKBgQC1edRXngRFyYBSH8ahnI3co++bnDMQi8wjtVAeIJTmF1Jq2QkIQ89z7GBq6YYuPpRF58y2XN2pj0QxqTdBTV0YbqBlChdcBPROoit1C8UExSL7WtzILFZK3utyoBmA8eBZFiN751oOoqloxgrFJ21ECDUFSmTRSzpzD4W/qvmK0QKBgAWa1bmyfwfOQHfRti3zMjG/mvOvOUH6Ccf5IaVztbmcqzWgFRUgkSvGhSSusmuipg6wyN7GIgr1AJQMCWCqhTQ7wDsyrYE6dmWAPNBP6Ggcl2+apzVALOBQfvgFahJ0NtUrHnIdSWxLZSOL7C68UkVXbBtW1KxfQu+jP4UrdKdDAoGALxlUa/z93OLkI+xNUApiox4FBNzwP94YeDgJeBg6rNDmugZkGroGsG5rw7Oh+ISTVOVJMxc9DFG7gCwLxC4A+GNVy4Nn9qDuiy35m2IXmxpS7utxG56uMrZSYyh8FgQwls5xHSo5LE05LJEhoHOQHzUGFb5uFgexPsWLj+ge5dECgYAWoi5vKCJWm4/t6A0W8HCEPCBXO7/MIeA2HrZ7ofrL6Bp/fDJSWqs10ZCcPVoy9sdIgAI1blHGWosLE9bRfx2DKn44igdCuSho/xJXhsjyJTpArD91UD7gdeRkZ2GqYJi9vdI+TBI3PsvWQ8F+jlShSD1EGmPvqF8twBaB71PMdw=='
set pki certificate client2 certificate 'MIIDrDCCApSgAwIBAgIUXHMRePv7otpZJNn8BFu3nozF2kIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzExMTA0M1oXDTM0MTIwMTExMTA0M1owUDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7VXZpMkr/Rnd+q0opUR4XNdHaaa2tH+ZVqt97gCIowjAYXJWY9RoPkmpl3DageLED7Rsk94oXjgXFkM05sUjfNytsD12Om1JpyKVD8FFtCOvB790SV4L6KWwSLMfUlzlqCeHnUzrySjLL60MQSBpzGl5o954l51wG23tkWm+QAk73K+gSkRDy/EpalUupqbikEdZRCZH+2ueqAKiBm56lr90f5pzJ3r9hU7+7W+ZYxPgtwL4mZbL/U9vNDGA2CXy+94Tibo46gNQam+UvTfD2vIocaMOVPCK2ifN2gTyCLxzSfeN8zMnQTixvYKjlNm2OZmXy+/U8FsLEA7S76jG6QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQURMwJZKBFhwtK5wWUwKbtIaFsD3gwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAGzOEpY/Z33V3lbN9/9MxuO7ktQuKnr0h+DHLzjjisCYzVNrP4s8bMdQFk19Xu+OMef0uMaMwRZ/hMoPTmEaLXDTyENTflWWZn5K79jSsqVPt0HMThuoZAX9PFc3LzRFDv5zCII62kiBUMiPZH+J+fKMCKd+ObiYoLJvDUaJzrO4Nk/vSHWkEE3JVeqRyWt6oaNtCkvWw+HQZ9Qc8nSO+tTvt6daftHqKCE3ORl3V1ypXHjD0iKv1lUafdzwLwKdxZNXYv6gfPwwzAthBslT5u8ckFfWKLsqkEeQKNusiqjXieMvoJfoCD7EFY3WPqmk4DXSHUOpvglt5Xckux2wuTQ='
set pki certificate client2 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtVdmkySv9Gd36rSilRHhc10dppra0f5lWq33uAIijCMBhclZj1Gg+SamXcNqB4sQPtGyT3iheOBcWQzTmxSN83K2wPXY6bUmnIpUPwUW0I68Hv3RJXgvopbBIsx9SXOWoJ4edTOvJKMsvrQxBIGnMaXmj3niXnXAbbe2Rab5ACTvcr6BKREPL8SlqVS6mpuKQR1lEJkf7a56oAqIGbnqWv3R/mnMnev2FTv7tb5ljE+C3AviZlsv9T280MYDYJfL73hOJujjqA1Bqb5S9N8Pa8ihxow5U8IraJ83aBPIIvHNJ943zMydBOLG9gqOU2bY5mZfL79TwWwsQDtLvqMbpAgMBAAECggEAY+1NHWIsWL0u5tBIeEk7ak+j/Dpa2+WLoN/EvlRQM2DIa18SO6cfmvY15xL3lU9uoHQlcR7NHVp9cfyrBe0EE5rwsG84W8JPDAV2AHOuTvnlRJxaMFfeKL62We29JtcBRQsbwOG1tvUrk6/HJJaqpQvV0OanHKMHpCzlJWAB4ACTtGJ2GgwcMnzJ3mKjBZOH/k3HzK7AnUeEmJq/pTp1n6kXwD7p2+GzwZkTzSi70r7LDWOR+i9R0ly6rkqTUoyWZCxTptVy47bCpdQv9pyCA2sPPUVGlXxM+WxaF5kvgbTKqesvDOqFdubC43VQcKdwXL/WiVp4OsrGfFlO9/8GZwKBgQD5cmkYxylCk4LeCwtNJzfwFjVQYS+vWjRwnbi4clhhnMBJLe4cGloybPvejnGxWDGE3v9dmeZoFBh1nkILathoZhclgeh9d1GkgioDxnrjbdz7G6UGBtLX6esPra8vZn41Jq4NgvXCGmCZr1QIlGfPZpPpsKm6MlqpbdHpGhsauwKBgQDzkfyLsQvCbdiwz7H/vZjbm/VzGwW5omNPRW89AcwG6Xw/+0w2408Z1w3XuJWzf9OdLeLL8durg29YTMsgc+ea12/X1SA1e74tzloP8o3L7ZSpvXgj5haDjlB7D1OADyBVR1rg+/tyYKoR68BOP7bbXDK5fjIVLrlAoxH4JrkEqwKBgCeYjKw9OQRza+uZLzMRDaUTsWTP+ITKOdbCgobsx7C+9BrpqolVeYnVmOmMDOoMyNeBmmGeQ1+0COnqtCshy7ZOtk/i3ifEX/ZQHyE4SVt+nfxSOBDL1n4liIWVmWBZ0aDYQfqtFhu4mirrFNjDzfKzIrmOrHJ8+b05TH/HABRvAoGBANmbSKyo3V+0cc7tkBJymjlBqdVPhBroOJ9e4lX34Acg3G/xHJNBG69zUZuz/pLilfWsRB5/Ewm1oGmcGjIBOx88cGC8uUzvI+aaoB31Tretp47KhqZT7zNTlxWKiMg1O2bVHB07Itd6AxeFr0Z5Z+2s/mh4lVgVaU6VIf244r2HAoGBAJNwTg2srlQlBr0LiUy0ij8SsdbGSsIwVymMuuFUFt7Z2PE6e6AGG4jOBFJzW6iSbkG2+8GXRrBNMX69nrYfrYNMIjO1P9PGRfgbM8nHUnPW3PlB4KYEzxChkUYu5kbVm3EzBjlM66fNrFP86SzExLj5Pqp2CrfXF2nnAC1KPffV'
set pki certificate client3 certificate 'MIIDtTCCAp2gAwIBAgIUBD3Q0t5lqZprnDK7T52NBDziH8kwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIyMDExMDg0OFoXDTM0MTIxODExMDg0OFowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAdjbGllbnQzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kfAazmg/GLlCsunhotD/WmaldgSqfPcAqe2md2dEaHQ4XYL/H0ZptzIZklX8sCdixwmIbv85rYyLb8J0BTdpVV/rnB4NVOZ42O3MXb4eTfRcgUnkC8fffMFSO4BZo6UdnSCB4s/MiVYcyKURucTc6DHch+Bz/p3gXXSHlvZtlviyq8fuOQjyBDZU7Dq5Wqe9RJ8LV5r5SBZoJnZCNNO6oAf2/aehGfA7kfTR8WxYHiyN2bhGIdjn46kVWWFVL4hfSAgPGvt8Bmg258454ex4f/ccyfnbWTtVe2yWWwACnL2F8lIqleZiuNla3GrMwwY+6ShnqpqQo3WKGoVd0ZhCQIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQU4vne5D8YXECiHAO36KgzTxR4dZMwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAJGGKWl4vImAed479zBrWn5axBBSG5DMjf2L26UQcFMddfpUZSMF8wueYN9u8BWKwDnE287XE6bEXjQcHOkzahdB7d69MGf8JYn3OIi4Jk6dfRjSvN6WveqzbmHV0vlw4spocIwnmNYYYuHACgF6rk9XqILDyzTpYJjGY5tg8EiDHiDuRDM6vXmUjBhaWvLtxlhR//qjV41BaJjrms3GEsKhcO84pk8x/HIBUP8akpG56LdyRe43iMdILDqxqOoPdfWojqcBqqDdzHhJpEmeNbRceBuQ74VpSkgNsKd66FuFH4kWg98WtFoodjzAtOUT+bF9Z8NRBzGOyBu2YYy5YUc='
set pki certificate client3 private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSR8BrOaD8YuUKy6eGi0P9aZqV2BKp89wCp7aZ3Z0RodDhdgv8fRmm3MhmSVfywJ2LHCYhu/zmtjItvwnQFN2lVX+ucHg1U5njY7cxdvh5N9FyBSeQLx998wVI7gFmjpR2dIIHiz8yJVhzIpRG5xNzoMdyH4HP+neBddIeW9m2W+LKrx+45CPIENlTsOrlap71EnwtXmvlIFmgmdkI007qgB/b9p6EZ8DuR9NHxbFgeLI3ZuEYh2OfjqRVZYVUviF9ICA8a+3wGaDbnzjnh7Hh/9xzJ+dtZO1V7bJZbAAKcvYXyUiqV5mK42VrcaszDBj7pKGeqmpCjdYoahV3RmEJAgMBAAECggEABl9KQ3WRnVRZ4IPfZcJeoxVKK/RKTIApUKNIc00170zaCZsMLfCUkGvsXr0mPyL7IzYNKcSKm2s2BhDd+UJInTQEFIMwAV2xMiTZblROn03DuRLS6hmjeKueo2EjBbqYYSaSsivUFG7xSTvpBmUGP+DFan3t7yGF8ZRic60Q4efE3b6ChRDSGJxCcFaWd/gGqbE0dW7R7BAKjKzE4HK7uGmx+72LA3R5Go+JGNgKiWHiUuvXw7q8jPfR4z6yT3ie1DYDh+uT4NCZ+xuWqxS0m/3k18ZEsmA0+NdJly0kuJvMO0aVHZWiDadCTxkU/TO6P25jnlqFuWu8etgh5PMcAQKBgQDokwQJ9eb5D3f45dIIgiqfMIExDLPqa95ibSvaFFDs+28cnLNF0xWRoUYgBKv3Vk7Hn1EpNGsJ7tB23BmJbcQPv7bwKpbtmvBFYFC8m6zmHlr4ndC8F9nT1HxiCyMChnace5mk6gMrcQ/1TWdEWzPLPSY3hdEORhMmQES7OCk/SQKBgQDndeEwoMkyyU8CYeEZvnL2hfAlZ+nAQ6OYPIpph4IaX81qsxQSLvAloPfyohVsg8sVBy1ZEvdyvEvcIMtllJ3+jh+/KOQ83bx2ErGC6bY6RcVECYgXZnElOsVNaQCPdwdTzM5lmU4IGiwgquFmSnnCo1ebwfNjNkwJjEndlmFTwQKBgHhLoqksQb3NXHanGM5B1Z3lTs16Do1QIgSzBx2TqJALNVuNScTx+5QJ4OWqxO/3+mOSaj5v2HWYysbP7X2CAwlKVms+/DYGEAUyXlBQDUwxo0g5CMBhbc/9diCYNhGWTz99RulgCSetIV32HVXj/pQ/GsdZNdq2MC12zJYx5FPRAoGBAOVNdQCV6X10zd9QVI8KjB4KZvTH0110JPhG0eDmLFAwpPKV4sZ41dSRedJYHN1aW7DDYXujPJ3gSU8U9iv2ZeevqWfZ/PMHwRNARbeqDawBPwK+ZqK4DFOTu6+K3NFEXG/6sGcaz6FbPGhIofCSy7m11K8sIBEj04SKBQuPVXCBAoGALVHDbhgeGTVANE/TO6/CfuIMTaj3D2+7KIy61nfOGr+TMDz/C1Ysv5j7LDHQOG9FtisYDSeeykg6LdaGys6GcZbgCeziqT+mds/hT8nDwYuDDKiQgP8aFVdDu8IIYWrvC/DnLOsiFs+nO+pXYWUZTpFb6lJ3wXGEodlu6ajlrk0='
set pki dh dh parameters 'MIIBCAKCAQEA+1eL8L4DAmniAvmBG1AAgHqCzYjF7zt+ES+L2reSo4RFRcqvZ1zWpHB6wmB5KFZ6na4qhyHbqfNckK2PQnqI4fSvahSzsxY9PaknzPiXM+Oyc8Kqw7VSa6ywraTDOwNMfoF1UxsT8ISo5mmeSmzGXtxHwjlkBOhJU7sdjImbiMJ6nhxTx1+GoAU3V9LxgwFLeEZNRZRfflJU6SWmLSMf6mDaTYVPym5DaMoam+/cGVLquEnXFroc7CeSJQ8QLGcKSUTiw1j7QRFg5a47wVYH43+8uKHHIlWmGfmY76Kj+DYiO3LE52wOeeiWafWRPR5PtqbgBEJIiBmTgfOEAyPIFwIBAg=='

revoke and logs:

vyos@r14# set pki certificate client1 revoke
[edit]
vyos@r14# run generate pki crl ca install
1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
vyos@r14# 
[edit]
vyos@r14# commit
[edit]
vyos@r14# 
[edit]
vyos@r14# run show op
openconnect-server  openfabric          openvpn             
[edit]
vyos@r14# run show openvpn server 

OpenVPN status on vtun10

Client CN    Remote Host    Tunnel IP    Local Host    TX bytes    RX bytes    Connected Since
-----------  -------------  -----------  ------------  ----------  ----------  -----------------

[edit]
vyos@r14# 
[edit]
vyos@r14# sudo journalctl -f
Dec 20 13:39:16 r14 commit[9994]: Successful change to active configuration by user vyos on /dev/pts/0

# client 2
Dec 20 13:39:38 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=US, ST=Dnipro, L=Dnipro, O=VyOS, CN=client2, serial=527793258691311924830724514689890381731010566722
Dec 20 13:39:38 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Dec 20 13:39:38 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 TLS_ERROR: BIO read tls_read_plaintext error
Dec 20 13:39:38 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 TLS Error: TLS object -> incoming plaintext read error
Dec 20 13:39:38 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 TLS Error: TLS handshake failed
Dec 20 13:39:38 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 SIGUSR1[soft,tls-error] received, client-instance restarting

# client 1
Dec 20 13:40:23 r14 openvpn-vtun10[4205]: 192.168.122.199:56766 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=US, ST=California, L=Dnipro, O=VyOS, CN=client1, serial=523455711628104630665330905372920388835582598999
Dec 20 13:40:23 r14 openvpn-vtun10[4205]: 192.168.122.199:56766 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Dec 20 13:40:23 r14 openvpn-vtun10[4205]: 192.168.122.199:56766 TLS_ERROR: BIO read tls_read_plaintext error
Dec 20 13:40:23 r14 openvpn-vtun10[4205]: 192.168.122.199:56766 TLS Error: TLS object -> incoming plaintext read error
Dec 20 13:40:23 r14 openvpn-vtun10[4205]: 192.168.122.199:56766 TLS Error: TLS handshake failed
Dec 20 13:40:23 r14 openvpn-vtun10[4205]: 192.168.122.199:56766 SIGUSR1[soft,tls-error] received, client-instance restarting

# client 3
Dec 20 13:40:38 r14 openvpn-vtun10[4205]: 192.168.122.199:59689 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=US, ST=California, L=Los Angeles, O=VyOS, CN=client3, serial=24214499650793062645573193162069930022193471433
Dec 20 13:40:38 r14 openvpn-vtun10[4205]: 192.168.122.199:59689 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Dec 20 13:40:38 r14 openvpn-vtun10[4205]: 192.168.122.199:59689 TLS_ERROR: BIO read tls_read_plaintext error
Dec 20 13:40:38 r14 openvpn-vtun10[4205]: 192.168.122.199:59689 TLS Error: TLS object -> incoming plaintext read error
Dec 20 13:40:38 r14 openvpn-vtun10[4205]: 192.168.122.199:59689 TLS Error: TLS handshake failed
Dec 20 13:40:38 r14 openvpn-vtun10[4205]: 192.168.122.199:59689 SIGUSR1[soft,tls-error] received, client-instance restarting

# client 2
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 TLS Error: TLS handshake failed
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:36589 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:49988 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=US, ST=Dnipro, L=Dnipro, O=VyOS, CN=client2, serial=527793258691311924830724514689890381731010566722
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:49988 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:49988 TLS_ERROR: BIO read tls_read_plaintext error
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:49988 TLS Error: TLS object -> incoming plaintext read error
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:49988 TLS Error: TLS handshake failed
Dec 20 13:40:39 r14 openvpn-vtun10[4205]: 192.168.122.15:49988 SIGUSR1[soft,tls-error] received, client-instance restarting
^C
[edit]
vyos@r14# run show ope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

2 participants