[SOLVED] Error Parsing CA Cert: X509-CRT/CRL/CSR Has Unsupported Version Number

jimp

I haven't seen that error with the Android OpenVPN client I use ( https://play.google.com/store/apps/details?id=de.blinkt.openvpn ), though mine has been working with that for years.

Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

johnpoz

I use my iphone and ipad both with the vpn client and have never seen such an issue.

Maybe your just trying to use the wrong export. For iphone/ipad use the openvpn connect (ios/android) one..

I email the ovpn file and import it right on my phone or ipad..

alteredstate

@jimp:

I haven't seen that error with the Android OpenVPN client I use ( https://play.google.com/store/apps/details?id=de.blinkt.openvpn ), though mine has been working with that for years.

Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

Is it because ca.crt is Version 4 and cert.crt is Version 3 (pulled from the Viscosity.visc file):

openssl x509 -text -noout -in ca.crt
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: 2503200 (0x263220)

Or are you referring to a different CA?

find / -name "*.ca"
/var/etc/openvpn/server2.ca
/var/etc/openvpn/client1.ca

The /var/etc/openvpn/client1.ca is my ExpressVPN setup and not relevant to this issue.

openssl x509 -text -noout -in /var/etc/openvpn/server2.ca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)

This is where I get confused. For example, I have a ca.crt and a server2.ca; I don't understand how these two files interact (and why I need two of them) and why they appear to be similar files but the extensions are different…but that's just my ignorance.

jimp

Where did you get that CA? Is it actually your own internal CA that you used to generate the server and client certificates?

A CA created on pfSense still shows version 3. Looks like maybe you're using a public CA on there which is a bad idea for OpenVPN.

alteredstate

@jimp:

Where did you get that CA? Is it actually your own internal CA that you used to generate the server and client certificates?

A CA created on pfSense still shows version 3. Looks like maybe you're using a public CA on there which is a bad idea for OpenVPN.

The ca.crt was in the Viscosity.visc bundle that I downloaded from the pfSense –> VPN --> OpenVPN --> Client Export utility. The server2.ca is located on my pfSense box in: /var/etc/openvpn/

jimp

But what is that CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?

alteredstate

@jimp:

But what is that CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?

I created everything in the pfSense –> Certficate Manager

Here is pfSense --> VPN --> OpenVPN --> Servers:

Refer to: Servers.png

pfSense --> VPN --> OpenVPN --> Client Export

Refer to: Client Export.png

pfSense --> System --> Certificate Manager --> CAs

Refer to: CA's.png

pfSense --> System --> Certificate Manager --> Certificates

Refer to: Certificates.png

Does that help any? I was trying to screen shot what I thought was relevant, I did this a long time ago and have not had any problems or interaction with this setup until now so I'm having trouble remembering.

Servers.png_thumb
![Client Export.png](/public/imported_attachments/1/Client Export.png)
![Client Export.png_thumb](/public/imported_attachments/1/Client Export.png_thumb)
CA's.png
CA's.png_thumb

Certificates.png_thumb

alteredstate

@johnpoz:

I use my iphone and ipad both with the vpn client and have never seen such an issue.

Maybe your just trying to use the wrong export. For iphone/ipad use the openvpn connect (ios/android) one..

I email the ovpn file and import it right on my phone or ipad..

Thanks for the reply, I was the same boat…never had an issue until now. I also emailed the ovpn file to my device(s) and it would work great! I'm running pfSense as a VM on Proxmox so I'm about ready to create a clone and start hacking it up in order to figure out what's going on. I may just do a reinstall if I cannot figure it out because something has gone wrong.

jimp

OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

alteredstate

@jimp:

OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

When you say: "first CA" did you mean the ca.crt:

openssl x509 -text -noout -in ca.crt
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number: 2503200 (0x263220)

If so that is actually the ca.crt file from the Viscosity.visc bundle that I downloaded from: pfSense –> VPN --> OpenVPN --> Client Export (the Client Export.png screenshot shows the download link (Viscosity Bundle), it's all the way on the right side of that screenshot). That is definitely for my remote access and NOT for ExpressVPN. I have always downloaded my files from the Client Export in the past and it worked but do you think you might be on to something as it does show a different version number than the other CA's?

jimp

Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.

alteredstate

@jimp:

Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.

I was not trying to be difficult by not posting the rest of my certificate, I was just being cautious. I generated new Certs and CA's in the Certificate Manager and all works great now! Thank you for all your help as you pointed me in the right direction! Now when I download the Viscosity.visc bundle and look at the version of ca.crt it says: Version 3. Who knows what happened, maybe something during one of my pfSense upgrades as I have not touched those settings in a few years. Thanks again!