пятница, 19 октября 2018 г.

Mikrotik SSTP Client - handshake failed: unable to get certificate CRL - MikroTik

Mikrotik SSTP Client - handshake failed: unable to get certificate CRL - MikroTik





Setup server with just recieved Tawte public SSL123 certificate, uploaded & imported files:

- Thawte Primary Root CA.pem
- Thawte EV SSL CA - G2.crt
- vpn.mydomain.com.crt
- vpn.mydomain.com.key
(sertificates imported OK, with no error in log)


Code: Select all
/interface sstp-server server
set authentication=mschap2 certificate="vpn.mydomain.com" \
    default-profile=SERVER_SSTP enabled=yes
Then setup client, uploaded & imported files:
- Thawte Primary Root CA.pem
- Thawte EV SSL CA - G2.crt
(sertificates imported OK, with no error in log)

Code: Select all
add authentication=mschap2 connect-to=vpn.mydomain.com disabled=no name=\
    "vpn.mydomain.com" password=2QMoDR6d2m profile=\
    SSTP_CLIENT user=User verify-server-certificate=yes


Windows 7 clients connecting with no problems & no need to import any CA to certificate repository.

Microtik client cannot establish connection and I getting error in log: handshake failed: unable to get certificate CRL until until upload and import additional file vpn.mydomain.com.crt.

I think this behavior is odd, is not it? Literally the day before the connection works with self-signed certificates. I use only CA.crt at the client side.

Please help, I want to make the connection work as expected (without vpn.mydomain.com.crt at client side).



Fast reply from support:

Problem is that server certificate has its own CRL defined, which is not defined
in CAs. That is why it started to work after server cert import.

We will add in one of the next versions possibility to add manually CRL URL
specially for such cases.

Комментариев нет:

Отправить комментарий

Примечание. Отправлять комментарии могут только участники этого блога.