Bug in Client Export Utility



  • Hello! Just found a strange thing.

    When server is set to SSL/TLS + User Auth Client Export Utility show no configs for export.
    When server is set to TLS only or User Auth only Client Export Utility show all needed configs for exports.

    It is a bug? Or it is something that I missing?

    2.3.4-RELEASE (amd64), just installed Client Export Utility.


  • Rebel Alliance Developer Netgate

    Are the certificates associated with users under System > User Manager?

    It's not enough that the certificates have the same name, they have to be certificates listed on the appropriate user in the User Manager. SSL/TLS mode will show any certificate from the CA. User Auth mode will show any user from the user manager. But for SSL/TLS+User Auth they must be tied together.

    So for example, if I have a user named "jimp" and a certificate with a cn "jimp", it wouldn't show in the export list for SSL/TLS+User Auth unless the "jimp" certificate was listed under the "jimp" user entry in the user manager. And also it has to be from the same CA as the OpenVPN server, naturally.



  • Thank you, I think it would be helpful if someone add that information to this message in Client Export Utility - "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, or the client certificate does not exist on this firewall."  :)


  • Rebel Alliance Global Moderator

    Ah - so like the info a bleach that says do not drink this ;)

    that wording is already on the wiki doc btw

    https://doc.pfsense.org/index.php/OpenVPN_Client_Export_Package
    "If the list is empty, there are likely no users and/or certificates that exist which use the same Certificate Authority as this VPN server. "

    If you click the little ? mark top right corner of the export package page it takes you there.