Openvpn 21.02 clients cannot connect

Summer

Hi,
I've upgraded to 21.02 a Netgate SG-3100, now the Openvpn clients, aren't able to connect to the server that is on the SG-3100, the only log that appear in log is:

SOURCE WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
2021-03-01T17:06:22+01:00  openvpn[39857]: SOURCE WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
2021-03-01T17:06:26+01:00  openvpn[39857]: SOURCE WARNING: Failed running command (--tls-verify script): external program exited with error status: 1

Please let me know how to fix it, the connection are incoming,but no success, no data on the openvpn status page.
Thanks, BR

jimp

https://redmine.pfsense.org/issues/4521#note-11

Summer

Thank you @jimp, but I don't get how to fix it:

[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123"           
                                                                                            OK
[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123"
Something wrong happened while reading request

the link: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/154 is broken

Mr Rick Frey 
Replacing fcgicli with php-cgi works for me as well when using self generated cert, intermediate and root CA with lengthy subjects. I added logging statement to log output of each command. fcgicli returns "_Something wrong happened while reading request_" whereas php-cgi returns "OK". Note that I only tested cert depth as I don't use user credentials.)

[21.02-RELEASE]/root: /usr/local/bin/php-cgi -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123"
PHP:  syntax error, unexpected '=' in Unknown on line 1

What and where exactly the fcgicli should be replaced?

192.168.100.100:1194 TLS Error: TLS handshake failed
192.168.100.100:1194 TLS Error: TLS object -> incoming plaintext read error
192.168.100.100:1194 TLS_ERROR: BIO read tls_read_plaintext error
192.168.100.100:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
192.168.100.100:1194 TLS Error: TLS handshake failed
192.168.100.100:1194 TLS Error: TLS object -> incoming plaintext read error
192.168.100.100:1194 TLS_ERROR: BIO read tls_read_plaintext error
192.168.100.100:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

jimp

The link is internal, not broken, but you don't need it.

I linked to comment #11 on that issue which has an attachment that is the patch you need to apply.