Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Certificate .. cannot be validated.Could not retrieve CRL

from Peter Sawatzki [Permanent Link]
Subject: [FW-1] Certificate .. cannot be validated.Could not retrieve CRL
From: Peter Sawatzki <peter AT SAWATZKI DOT DE>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 19 Aug 2005 11:16:52 +0200 
Since upgrading from R55W to NGX I get the following message in
SmartTracker:

  "Certificate cpx_westfalia_ca cannot be validated.Could not retrieve CRL."

(same error message with all other certificates)

and Clients with SmartCards/Certificates are unable to login. CRLs are
pulled via http from a Windows 2003 AD server that is working fine: I can
pull the CRL which is empty btw from the http server by hand without
problems and the VPN debug shows the NGX is able to do so too. I've also
revoked a certificate in Win2003 to fill the CRL with at least one entry
just to be sure, but the problem remains.

Here is a dump of the VPN Debug trace, notice the CRL is retrieved
successfully but finally the following error is thrown:

cpSRSA_imp::Verify failed
fwCRL_good_for_cert: signature verification failed: -1

A workaround is to disable CRL fetching in the CA object however this is not
a solution. 

I had the same problem when I applied HFA03 on R55W so I rolled it back.

Peter Sawatzki

-------- VPN DEBUG ON

fwFetchCRL_e_With_Reason: fetching crl for certificate dn:
CN=cpx,O=Westfalia EDV,DC=westfalia,DC=net,C=DE
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] X509 Certificate Version 3
Serial Number: 16278611000100000157
Issuer: CN=Westfalia EDV,OU=EDV,O=Westfalia Werkzeug
Company,L=Hagen,ST=NRW,C=DE,Email=Sawatzki AT westfalia DOT de
Subject: CN=cpx,O=Westfalia EDV,DC=westfalia,DC=net,C=DE
Not valid before: Fri Nov 19 21:13:21 2004 Local Time
Not valid after:  Sun Nov 19 21:13:21 2006 Local Time
Extensions:
  Extended Key Usage:
  Key Usage:
    digitalSignature
    keyEncipherment
  Basic Constraint (Critical):
    not CA
  Authority Info Access:
  CRL distribution Points:
    URI: http://192.168.101.5/CertEnroll/WestfaliaEDV.crl
  Authority Key Identifier:
  Subject Key Identifier:
  Subject Alternate names:
    IP: 212.202.250.164

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRLCache_Get: dp
(http://192.168.101.5/CertEnroll/WestfaliaEDV.crl) was not found in memory
cache. Will Try to fetch from the FDB.
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRLCache_Get_from_dp: dp
(http://192.168.101.5/CertEnroll/WestfaliaEDV.crl) was not found in cache
(memory and file).
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRLCache_Get: dp (CN=Westfalia
EDV,OU=EDV,O=Westfalia Werkzeug
Company,L=Hagen,ST=NRW,C=DE,Email=Sawatzki AT westfalia DOT de) was not found in
memory cache. Will Try to fetch from the FDB.
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRLCache_Get_from_dp: dp
(CN=Westfalia EDV,OU=EDV,O=Westfalia Werkzeug
Company,L=Hagen,ST=NRW,C=DE,Email=Sawatzki AT westfalia DOT de) was not found in
cache (memory and file).
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwFetchCRL_e_With_Reason: CRL
was not found in cache. Will fetch it async.
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRL_HTTP_Fetcher: looking for
URI: http://192.168.101.5/CertEnroll/WestfaliaEDV.crl
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher constructor
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] KeyStore_ValidateCB: defaultCert
is valid
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher: Host name resolved
synchroniously.

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher: Resolving host name
completed successfully.

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwasync_conn_params:
<c0a8650a,33151> -> <c0a86505,80>
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwasync_connbuf_realloc:
reallocating 0 from 0 to 1203
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher: HTTP request sent.

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwasync_connbuf_realloc:
reallocating 0 from 0 to 5120
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher: Recieved status OK.

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher: Retrieval ended
successfully.

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Snatcher: Calling Callback
function...

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRL_http_cb: status = 1
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRL::fwCRL no revoked
certificates
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36]

fwFetchCRL_cb: Entering for dp:
http://192.168.101.5/CertEnroll/WestfaliaEDV.crl
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwFetchCRL_cb: 1 X509 CRLs
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] Issuer: CN=Westfalia
EDV,OU=EDV,O=Westfalia Werkzeug
Company,L=Hagen,ST=NRW,C=DE,Email=Sawatzki AT westfalia DOT de
This update: Fri Aug 12 23:08:37 2005 Local Time
Next update: Sat Aug 20 11:28:37 2005 Local Time

[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] cpSRSA_imp::Verify failed
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRL_good_for_cert: signature
verification failed: -1
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwFetchCRL_cb: No crl matched
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] fwCRL_Hook_cb: Fetch Failed
(error -986), and this was the last fetch. This fetch will be processed.
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] KeyStore_ValidateCB: Certificate
cpx_westfalia_ca cannot be validated.Could not retrieve CRL.
DN:CN=cpx,O=Westfalia EDV,DC=westfalia,DC=net,C=DE   If this log persists,
contact the CA administrator.
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] CFwdCommStreamLocal::Write
called
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] CFwdCommStreamLocal::Write sent
244 bytes
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36]

CRLCache statistics:
------------------
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] crlcache searches: 41
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] crlcache misses: 29
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] crlcache async_searches: 29
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] crlcache successful_async_fetch:
0
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] preFetch async_searches: 0
[vpnd 1121 2002670240]@cpx[18 Aug  9:57:36] preFetch successful_async_fetch:
0

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [FW-1] Certificate .. cannot be validated.Could not retrieve CRL, Peter Sawatzki <=
Previous by Date:  [FW-1] Anti-Spoofing and Secondary IP, Peter Sawatzki
Next by Date:  [FW-1] Rule bypassing in CheckPoint NGX R60, FITZ MAILING
Previous by Thread:  [FW-1] Anti-Spoofing and Secondary IP, Peter Sawatzki
Next by Thread:  [FW-1] Rule bypassing in CheckPoint NGX R60, FITZ MAILING
Indexes:  [Date] [Thread] [Top] [All Lists]