I'm facing a similar issue with 2.4.2, not exactly the same but I'm not sure it merits a new thread.
I have my own PKI setup with root CA + intermediate CA, servers and clients are signed by the intermediate, crl is also setup. I have configured the OpenVPN server certificate depth to 2 accordingly.
I'm running Netgate's pfSense in AWS, and after upgrading from 2.3.5 to 2.4.2, my previously fully functional OpenVPN clients cannot connect anymore, the clients are left hanging while trying to connect and I get the following errors in the server logs:
OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
VERIFY SCRIPT ERROR: depth=2, C=<hidden>, ST=<hidden>, L=<hidden>, O=<hidden>, OU=<hidden>, CN= <hidden (root="" ca)="">WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
VERIFY WARNING: depth=2, unable to get certificate CRL: C=<hidden>, ST=<hidden>, L=<hidden>, O=<hidden>, OU=<hidden>, CN= <hidden (root="" ca)="">VERIFY WARNING: depth=1, unable to get certificate CRL: C=<hidden>, ST=<hidden>, L=<hidden>, O=<hidden>, OU=<hidden>, CN=</hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden></hidden>
The crl warnings trouble me already, since that didn't happen in 2.3.x and I had tested the crl revocation functionality. But the main issue seems to be the tls verify script error, somehow it is not able to verify the root CA.
I have tried all permutations I could think of (adding the full chain root ca / intermediate ca in the crt files, singling them out, etc), but nothing works. The only thing I can do at this moment is to deactivate the depth check, then my clients connect again. I have also seen in other threads that it might be related to spaces in the X509 data, but I found nothing conclusive.
Any help will be appreciated.