• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Error Parsing CA Cert: X509-CRT/CRL/CSR Has Unsupported Version Number

Scheduled Pinned Locked Moved OpenVPN
20 Posts 3 Posters 5.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    alteredstate
    last edited by Apr 24, 2018, 2:07 AM Apr 3, 2018, 5:19 PM

    Hello Everyone,

    I'm on pfSense 2.4.2-RELEASE-p1 and attempting to connect to my pfSense OpenVPN server using OpenVPN Connect (OpenVPN 1.2.9 build 0 (iOS 64-bit)) on my iPad (iOS 11.2.6) but keep receiving this error after downloading the *.ovpn file from the openvpn-client export 1.4.14 and installing it in OpenVPN Connect:

    EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]
    

    I posted this question on the OpenVPN Support Forum and I'm not getting anywhere.  It appears my OpenVPN Connect is looking for a version number in the OpenVPN server certificate but none of the certificates appear to contain any version information.  Here is a link to my post on OpenVPN Support Forum: https://forums.openvpn.net/viewtopic.php?f=36&t=25955&p=77920#p77920  If anyone has a solution or idea where to begin troubleshooting this I would be very appreciative!

    1 Reply Last reply Reply Quote 0
    • A
      alteredstate
      last edited by Apr 20, 2018, 8:39 PM

      Could anyone help me out on this issue?

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Apr 23, 2018, 4:09 PM

        Most likely that is a problem with the client/OS/ssl library and not pfSense.

        I spot checked a few certs made as recently as today and as far back as 2007 and they all had version information.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          alteredstate
          last edited by Apr 23, 2018, 7:00 PM

          @jimp:

          Most likely that is a problem with the client/OS/ssl library and not pfSense.

          I spot checked a few certs made as recently as today and as far back as 2007 and they all had version information.

          Thanks for the reply!  I'm confused though because I'm loading user certs exported by the pfSense openvpn-client-export package (1.4.14) and I've looked through all of the different export files and none of them have anything regarding a version number.  What part of the client/OS/ssl library would be involved since my certs are imported from pfSense?  Do you use the openvpn-client-export package in pfSense to export your OpenVPN user certs or how do you do it?

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Apr 23, 2018, 7:22 PM

            : openssl x509 -text -noout -in server6.cert
            Certificate:
                Data:
                    Version: 3 (0x2)
                    Serial Number: 2 (0x2)
            
            

            That version number, which is also what they referred you to in the OpenVPN thread you linked.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              alteredstate
              last edited by Apr 23, 2018, 7:41 PM

              @jimp:

              : openssl x509 -text -noout -in server6.cert
              Certificate:
                  Data:
                      Version: 3 (0x2)
                      Serial Number: 2 (0x2)
              
              

              That version number, which is also what they referred you to in the OpenVPN thread you linked.

              Yes, I know that but none of my exported certificates from pfSense contain that information.  Would you be able to answer my other questions?

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Apr 23, 2018, 7:43 PM

                The certificate information I showed would be the same no matter how the certificate was exported. It's embedded in the certificate itself and could not be changed automatically depending on how it was downloaded. There is no way your certificate would be missing that, unless you created it somewhere else (not on pfSense) or you are looking in the wrong place.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • A
                  alteredstate
                  last edited by Apr 23, 2018, 8:07 PM Apr 23, 2018, 8:03 PM

                  @jimp:

                  The certificate information I showed would be the same no matter how the certificate was exported. It's embedded in the certificate itself and could not be changed automatically depending on how it was downloaded. There is no way your certificate would be missing that, unless you created it somewhere else (not on pfSense) or you are looking in the wrong place.

                  Okay, now we are getting somewhere.  I downloaded the Viscosity.visc from the pfSense Client Export utility and ran the openssl command that you used and there is definitely a version number:

                   openssl x509 -text -noout -in cert.crt
                  Certificate:
                      Data:
                          Version: 3 (0x2)
                          Serial Number: 1 (0x1)
                  
                  

                  I was originally opening the cert files with gedit as well as using the cat command and it just showed the certificate key…sorry, I was unaware you had to run that openssl command.  So any ideas why I still get incorrect version number?  I've tried OpenVPN for Android and OpenVPN Connect on Android but still same issue?

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Apr 23, 2018, 8:07 PM

                    I haven't seen that error with the Android OpenVPN client I use ( https://play.google.com/store/apps/details?id=de.blinkt.openvpn ), though mine has been working with that for years.

                    Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Apr 23, 2018, 8:24 PM

                      I use my iphone and ipad both with the vpn client and have never seen such an issue.

                      Maybe your just trying to use the wrong export.  For iphone/ipad use the openvpn connect (ios/android) one..

                      I email the ovpn file and import it right on my phone or ipad..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • A
                        alteredstate
                        last edited by Apr 23, 2018, 8:46 PM

                        @jimp:

                        I haven't seen that error with the Android OpenVPN client I use ( https://play.google.com/store/apps/details?id=de.blinkt.openvpn ), though mine has been working with that for years.

                        Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

                        Is it because ca.crt is Version 4 and cert.crt is Version 3 (pulled from the Viscosity.visc file):

                        openssl x509 -text -noout -in ca.crt
                        Certificate:
                            Data:
                                Version: 4 (0x3)
                                Serial Number: 2503200 (0x263220)
                        
                        

                        Or are you referring to a different CA?

                        find / -name "*.ca"
                        /var/etc/openvpn/server2.ca
                        /var/etc/openvpn/client1.ca
                        
                        

                        The /var/etc/openvpn/client1.ca is my ExpressVPN setup and not relevant to this issue.

                        openssl x509 -text -noout -in /var/etc/openvpn/server2.ca
                        Certificate:
                            Data:
                                Version: 3 (0x2)
                                Serial Number: 0 (0x0)
                        
                        

                        This is where I get confused.  For example, I have a ca.crt and a server2.ca; I don't understand how these two files interact (and why I need two of them) and why they appear to be similar files but the extensions are different…but that's just my ignorance.

                        1 Reply Last reply Reply Quote 0
                        • J
                          jimp Rebel Alliance Developer Netgate
                          last edited by Apr 23, 2018, 8:50 PM

                          Where did you get that CA? Is it actually your own internal CA that you used to generate the server and client certificates?

                          A CA created on pfSense still shows version 3. Looks like maybe you're using a public CA on there which is a bad idea for OpenVPN.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • A
                            alteredstate
                            last edited by Apr 23, 2018, 8:57 PM

                            @jimp:

                            Where did you get that CA? Is it actually your own internal CA that you used to generate the server and client certificates?

                            A CA created on pfSense still shows version 3. Looks like maybe you're using a public CA on there which is a bad idea for OpenVPN.

                            The ca.crt was in the Viscosity.visc bundle that I downloaded from the pfSense –> VPN --> OpenVPN --> Client Export utility.  The server2.ca is located on my pfSense box in: /var/etc/openvpn/

                            1 Reply Last reply Reply Quote 0
                            • J
                              jimp Rebel Alliance Developer Netgate
                              last edited by Apr 23, 2018, 8:59 PM

                              But what is that  CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • A
                                alteredstate
                                last edited by Apr 23, 2018, 9:14 PM

                                @jimp:

                                But what is that  CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?

                                I created everything in the pfSense –> Certficate Manager

                                Here is pfSense --> VPN --> OpenVPN --> Servers:

                                Refer to: Servers.png

                                pfSense --> VPN --> OpenVPN --> Client Export

                                Refer to: Client Export.png

                                pfSense --> System --> Certificate Manager --> CAs

                                Refer to: CA's.png

                                pfSense --> System --> Certificate Manager --> Certificates

                                Refer to: Certificates.png

                                Does that help any?  I was trying to screen shot what I thought was relevant, I did this a long time ago and have not had any problems or interaction with this setup until now so I'm having trouble remembering.

                                Servers.png
                                Servers.png_thumb
                                ![Client Export.png](/public/imported_attachments/1/Client Export.png)
                                ![Client Export.png_thumb](/public/imported_attachments/1/Client Export.png_thumb)
                                CA's.png
                                CA's.png_thumb
                                Certificates.png
                                Certificates.png_thumb

                                1 Reply Last reply Reply Quote 0
                                • A
                                  alteredstate
                                  last edited by Apr 23, 2018, 9:32 PM

                                  @johnpoz:

                                  I use my iphone and ipad both with the vpn client and have never seen such an issue.

                                  Maybe your just trying to use the wrong export.  For iphone/ipad use the openvpn connect (ios/android) one..

                                  I email the ovpn file and import it right on my phone or ipad..

                                  Thanks for the reply, I was the same boat…never had an issue until now.  I also emailed the ovpn file to my device(s) and it would work great!  I'm running pfSense as a VM on Proxmox so I'm about ready to create a clone and start hacking it up in order to figure out what's going on.  I may just do a reinstall if I cannot figure it out because something has gone wrong.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by Apr 23, 2018, 9:40 PM

                                    OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

                                    From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      alteredstate
                                      last edited by Apr 23, 2018, 9:58 PM

                                      @jimp:

                                      OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

                                      From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

                                      When you say: "first CA" did you mean the ca.crt:

                                      openssl x509 -text -noout -in ca.crt
                                      Certificate:
                                          Data:
                                              Version: 4 (0x3)
                                              Serial Number: 2503200 (0x263220)
                                      

                                      If so that is actually the ca.crt file from the Viscosity.visc bundle that I downloaded from: pfSense –> VPN --> OpenVPN --> Client Export (the Client Export.png screenshot shows the download link (Viscosity Bundle), it's all the way on the right side of that screenshot).  That is definitely for my remote access and NOT for ExpressVPN.  I have always downloaded my files from the Client Export in the past and it worked but do you think you might be on to something as it does show a different version number than the other CA's?

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by Apr 23, 2018, 10:06 PM

                                        Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

                                        If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          alteredstate
                                          last edited by Apr 24, 2018, 2:07 AM

                                          @jimp:

                                          Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

                                          If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.

                                          I was not trying to be difficult by not posting the rest of my certificate, I was just being cautious.  I generated new Certs and CA's in the Certificate Manager and all works great now!  Thank you for all your help as you pointed me in the right direction!  Now when I download the Viscosity.visc bundle and look at the version of ca.crt it says: Version 3.  Who knows what happened, maybe something during one of my pfSense upgrades as I have not touched those settings in a few years.  Thanks again!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received