Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Problems with multiple CAs for OpenVPN in certificate manager

    OpenVPN
    3
    4
    820
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ad last edited by

      hi,
      I'm currently trying to trace a problem when i have multiple (self signed)
      CAs in the certificate manager for diffreren OpenVPN server instances.

      The symptom is the following:
      I have multiple (currently 7) independent self-signed CAs in the
      certificate manager, used for different OpenVPN services.
      They were all created independently (using EasyRSA) and the imported
      into pfSense.
      Now, for some reason pfSense thinks that all certificates, including
      all other CA certificates, are signed by the last CA imported
      (it's always the last one imported, no matter which order).
      Now, i noticed this before, but it was just a minor userinterface
      issue up until and including v2.3.2_1, but with 2.3.3 this means
      that some of my vpns now no longer work, as because of commit
      eafd9cfb5e68b1d466f7627fc729078e21a23f1a, it now puts all of
      the "certificate chain" into the ca certificates for the OpenVPN
      service, which leads to validation errors, because it is not a chain
      in reality.

      has anybody else seen this behaviour and/or is it a user error on my part?

      (i have not yet stepped through the certificate manager code as i so far was looking in
      the wrong place because i thought i made some error in upgrading or
      decoding the certificates).

      any hints would be appreciated.

      regards,
      albert

      1 Reply Last reply Reply Quote 0
      • T
        TheIPdude last edited by

        same problem!

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          Did you make all of those with the exact same subject? If they are all (nearly) identical it may not be able to distinguish them enough to tell who made what. It tries to locate the appropriate signing CA but if they all look alike it may not separate them properly.

          1 Reply Last reply Reply Quote 0
          • A
            ad last edited by

            well, country, province, city org and email are identical
            (most of these CAs where created well before we started using pfsense,
            all of them where created using easy rsa)

            so yes, if pfsense tries to look at the subject to find out if they are related this could indeed
            be the reason.

            while using the same email address might not have been ideal, i don't think it's possible to change it afterwards, so i'm stuck with it…

            regards,
            albert dengg

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy