CRL for PKI is not published

Denis Ponev · ‎06-30-2014

I've got simple lab for testing PKI:

198.0.0.1 - server

ip http server
ip http port 8080
ntp master 1

crypto key generate rsa general-keys label MAIN-CA modulus 1024 exportable

crypto pki server MAIN-CA
 database url nvram:
 issuer-name CN=MAIN-CA.lab.local L=BLG C=RU
 lifetime ca-certificate 365
 lifetime certificate 365
 lifetime crl 24
 cdp-url http://198.0.0.1:8080/main-ca.cdp.main-ca.crl
 no shutdown

198.0.0.2 and 3 - clients (I want encrypted tunnel between them)

ntp server 198.0.0.1

crypto key generate rsa general-keys label CLIENT-CA modulus 1024

crypto ca trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check none
 rsakeypair CLIENT-CA
crypto ca authenticate CLIENT-CA
crypto ca enroll CLIENT-CA

crypto isakmp policy 1
 encr aes
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec profile CRYPTO-PROFILE
set transform-set AES256-SHA

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 198.0.0.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CRYPTO-PROFILE

Then I do

crypto pki server MAIN-CA grant 1
crypto pki server MAIN-CA grant 2

And everything if fine when clients are like this:

crypto ca trustpoint CLIENT-CA
 revocation-check none

But when I do

 revocation-check crl

I got messages (debug crypto pki transactions):

Jul  1 14:33:40.280: CRYPTO_PKI: Trust-Point CLIENT-CA picked up
Jul  1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.280: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul  1 14:33:40.280: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.468: CRYPTO_PKI: Found a issuer match
Jul  1 14:33:40.480: CRYPTO_PKI: Retreive CRL using HTTP URI
Jul  1 14:33:40.480: CRYPTO_PKI: status = 0: poll CRL
Jul  1 14:33:40.484: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.484: CRYPTO_PKI: can not resolve server name/IP address
Jul  1 14:33:40.484: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1
Jul  1 14:33:40.512: CRYPTO_PKI: http connection opened
Jul  1 14:33:40.516: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul  1 14:33:40.516: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul  1 14:33:40.584: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul  1 14:33:40.584: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 404 Not Found
Date: Tue, 01 Jul 2014 14:33:40 GMT
Server: cisco-IOS
Accept-Ranges: none

Jul  1 14:33:40.588: E ../cert-c/source/crlobj.c(384) : Error #705h
Jul  1 14:33:40.592: CRYPTO_PKI: status = 1797: failed to set crl ber
Jul  1 14:33:40.592: CRYPTO_PKI: transaction Unknown completed
Jul  1 14:33:40.592: CRYPTO_PKI: Poll CRL callback
Jul  1 14:33:40.592: CRYPTO_PKI:  Blocking chain verification callback received status: 105
Jul  1 14:33:40.596: CRYPTO_PKI: Certificate not validated
Jul  1 14:33:40.600: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 198.0.0.2       is bad: certificate invalid

So... what's wrong?

Marius Gunnerud · ‎07-01-2014

Strange...are you running this in a lab with physical equipment or is this in a GNS3 virtual lab? If it is a virtual lab then I suggest copying out your config and then rebuild your setup and see if that helps.

Other than that, your config looks fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Denis Ponev · ‎07-03-2014

Didn't help. It was GNS, then I copied it on physical devices and nothing changed. I'm still getting 404. Also I checked

show crypto pki crls

and I'm getting blank, and:

R2(config)#crypto pki crl request CLIENT-CA
Jul  3 17:09:50.059: %PKI-4-CRLHTTPFETCHFAIL: CRL Request for trustpoint "CLIENT-CA" returned 404 Not Found

It seems I'm doing something wrong...

Marius Gunnerud · ‎07-03-2014

do you get any output from the following command on the CA server?

crypto pki server ese-ios-ca info crl

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Denis Ponev · ‎07-03-2014

#crypto pki server MAIN-CA info crl
Certificate Revocation List:
    Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU
    This Update: 06:17:02 UTC Jul 4 2014
    Next Update: 07:17:02 UTC Jul 4 2014
    Number of CRL entries: 0
    CRL size: 238 bytes

And when I revoked one of the granted certificates, I got:

#crypto pki server MAIN-CA info crl
Certificate Revocation List:
    Issuer: cn=MAIN-CA.lab.local L\=BLG C\=RU
    This Update: 06:23:41 UTC Jul 4 2014
    Next Update: 07:23:41 UTC Jul 4 2014
    Number of CRL entries: 1
    CRL size: 261 bytes
Revoked Certificates:
    Serial Number: 0x01
    Revocation Date: 06:23:41 UTC Jul 4 2014

So revokation list is fine. But noone can get it.

Marius Gunnerud · ‎07-05-2014

hmm...odd.

I would need to lab your setup to see what results I get. Will try to do that tonight.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Denis Ponev · ‎07-06-2014

Ok, found it. Kind of typo. Don't remember where I get it but this part of client's config wrong:

crypto ca trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check none
 rsakeypair CLIENT-CA
crypto ca authenticate CLIENT-CA
crypto ca enroll CLIENT-CA

it should be like this:

crypto pki trustpoint CLIENT-CA
 enrollment url http://198.0.0.1:8080
 revocation-check none
 rsakeypair CLIENT-CA
crypto pki authenticate CLIENT-CA
crypto pki enroll CLIENT-CA

Anyway, thanks for helping.

Marius Gunnerud · ‎07-08-2014

Nice! glad you got it sorted

--
Please remember to select a correct answer and rate helpful posts

Denis Ponev · ‎07-08-2014

Nope. That wasn't the cause.

Now it works in both variants - with "crypto pki" and "crypto ca". Don't know why. It... just started to work. I did the same steps and get HTTP 200 OK.

So... I'll post if I find out something new.

Denis Ponev · ‎07-11-2014

I've finally got the exact steps for my error to appear. All configs are the same. So I'm creating pki server and trustpoint on client. Then I authenticate and enroll. At this moment I can see client's request on server:

#crypto pki server MAIN-CA info requests

Enrollment Request Database:
Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
1      pending    4B8AF9BDD3E6D3ED59AED4CF0C8100CB hostname=client.lab.local

And also at this moment I can successfully request CRL on client:

#crypto pki crl request CLIENT-CA

Then I do

#crypto pki server MAIN-CA grant 1

I still can request CRL. But when I get this debug on client (debug crypto pki transactions), I'm start getting 404 errors:

Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial, 2
Jul 11 18:54:00.933: CRYPTO_PKI: All sockets are closed for trustpoint CLIENT-CA.
Jul 11 18:54:00.933: CRYPTO_PKI: resend GetCertInitial for session: 0
Jul 11 18:54:00.937: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul 11 18:54:00.937: CRYPTO_PKI: can not resolve server name/IP address
Jul 11 18:54:00.937: CRYPTO_PKI: Using unresolved IP Address 198.0.0.1
Jul 11 18:54:00.997: CRYPTO_PKI: http connection opened
Jul 11 18:54:02.001: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul 11 18:54:02.081: CRYPTO_PKI: locked trustpoint CLIENT-CA, refcount is 1
Jul 11 18:54:02.273: CRYPTO_PKI: unlocked trustpoint CLIENT-CA, refcount is 0
Jul 11 18:54:02.273: CRYPTO_PKI:  received msg of 1680 bytes
Jul 11 18:54:02.277: CRYPTO_PKI: HTTP response header:
 HTTP/1.1 200 OK
Date: Fri, 11 Jul 2014 18:54:02 GMT
Server: cisco-IOS
Content-Type: application/x-pki-message
Expires: Fri, 11 Jul 2014 18:54:02 GMT
Last-Modified: Fri, 11 Jul 2014 18:54:02 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Accept-Ranges: none

Jul 11 18:54:02.337: The PKCS #7 message has 1 verified signers.
Jul 11 18:54:02.337: signing cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU1
Jul 11 18:54:02.337: Signed Attributes:

Jul 11 18:54:02.337: CRYPTO_PKI: status = 100: certificate is granted
Jul 11 18:54:02.389: The PKCS #7 message contains 1 certs and 0 crls.
Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment
Jul 11 18:54:02.401: Newly-issued Router Cert: issuer=cn=MAIN-CA.lab.local L\=BLG C\=RU serial=2
Jul 11 18:54:02.401: start  date: 18:53:42 UTC Jul 11 2014
Jul 11 18:54:02.401: end    date: 18:50:24 UTC Jul 11 2015
Jul 11 18:54:02.401: Router date: 18:54:02 UTC Jul 11 2014
Jul 11 18:54:02.401: Received router cert from CA
Jul 11 18:54:02.401: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment
Jul 11 18:54:02.409: CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
Jul 11 18:54:02.409: %PKI-6-CERTRET: Certificate received from Certificate Authority
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.
Jul 11 18:54:02.409: CRYPTO_PKI: All enrollment requests completed for trustpoint CLIENT-CA.

So as soon as the enrollment is complete and certificate if recieved I can no longer request CRL.

And I'm still need help with this.