Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding 2nd OpenVPN cert causes issues with first cert

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 902 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      edgesync
      last edited by

      Hi all, hope this is the right forum.

      I've noticed a weird issue on my pfSense config.
      I'm using pfsense 2.4.2 community edition.

      I have 2 linux VPS systems, with two different hosts each running OpenVPNAS.

      I have set up the VPS 1 in the cert manager (CA, Cert, set up a tunnel client, and set up an interface for it).  The CA is listed as "Self-Signed".
      This works fine, it connects and tunnels my traffic through without issue.

      However, when i do the exact same process on VPS 2, and add it's own CA - VPS 1 lists it's CA as VPS 2.

      here is a pic to show you what i mean:

      Looks like some sort of weird certificate mismatch - but I can't find out what's causing it. This same setup was working fine on an earlier version of pfsense (2.3.4).

      Any idea's what i might be doing wrong?

      Thanks!

      A 1 Reply Last reply Reply Quote 0
      • A Offline
        AK_4_Life @edgesync
        last edited by

        @edgesync I have this same issue, did you ever figure out what was wrong. Initially, both VPN connections will work, but when the 1st connection needs to restart, then the connection will fail and there will be TLS errors in the log.

        Can anyone comment on why this is happening. I'm new to pfsense and I don't understand why this is happening.

        These are my CAs, see how the 1st CA says the issuer is the second CA?
        CAs.png

        These are my Certs, see how they say each other is the issuer?
        CERTs.png

        These are my VPN client connections.
        Clients.png

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          You need to use unique subjects for different CA and certificate entries. You have essentially created duplicates and they can't figure out the issuer because the subjects are identical. At least change the CN for each certificate. You'll have problems with those two certificates as well since they also have identical subjects.

          Also, make sure you are setting the certificate properties correctly, you have one labeled "server cert" but it does not have the properties set to be a server certificate.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          A 1 Reply Last reply Reply Quote 1
          • A Offline
            AK_4_Life @jimp
            last edited by

            @jimp ok, thanks I see that now. both the VPN servers are Asus AX-11000 routers, so I guess I'll have to install a pfsense box at one of those locations because I don't see any way to change the CN.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.