[SOLVED] Error Parsing CA Cert: X509-CRT/CRL/CSR Has Unsupported Version Number



  • Hello Everyone,

    I'm on pfSense 2.4.2-RELEASE-p1 and attempting to connect to my pfSense OpenVPN server using OpenVPN Connect (OpenVPN 1.2.9 build 0 (iOS 64-bit)) on my iPad (iOS 11.2.6) but keep receiving this error after downloading the *.ovpn file from the openvpn-client export 1.4.14 and installing it in OpenVPN Connect:

    EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]
    

    I posted this question on the OpenVPN Support Forum and I'm not getting anywhere.  It appears my OpenVPN Connect is looking for a version number in the OpenVPN server certificate but none of the certificates appear to contain any version information.  Here is a link to my post on OpenVPN Support Forum: https://forums.openvpn.net/viewtopic.php?f=36&t=25955&p=77920#p77920  If anyone has a solution or idea where to begin troubleshooting this I would be very appreciative!



  • Could anyone help me out on this issue?


  • Rebel Alliance Developer Netgate

    Most likely that is a problem with the client/OS/ssl library and not pfSense.

    I spot checked a few certs made as recently as today and as far back as 2007 and they all had version information.



  • @jimp:

    Most likely that is a problem with the client/OS/ssl library and not pfSense.

    I spot checked a few certs made as recently as today and as far back as 2007 and they all had version information.

    Thanks for the reply!  I'm confused though because I'm loading user certs exported by the pfSense openvpn-client-export package (1.4.14) and I've looked through all of the different export files and none of them have anything regarding a version number.  What part of the client/OS/ssl library would be involved since my certs are imported from pfSense?  Do you use the openvpn-client-export package in pfSense to export your OpenVPN user certs or how do you do it?


  • Rebel Alliance Developer Netgate

    : openssl x509 -text -noout -in server6.cert
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
    
    

    That version number, which is also what they referred you to in the OpenVPN thread you linked.



  • @jimp:

    : openssl x509 -text -noout -in server6.cert
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
    
    

    That version number, which is also what they referred you to in the OpenVPN thread you linked.

    Yes, I know that but none of my exported certificates from pfSense contain that information.  Would you be able to answer my other questions?


  • Rebel Alliance Developer Netgate

    The certificate information I showed would be the same no matter how the certificate was exported. It's embedded in the certificate itself and could not be changed automatically depending on how it was downloaded. There is no way your certificate would be missing that, unless you created it somewhere else (not on pfSense) or you are looking in the wrong place.



  • @jimp:

    The certificate information I showed would be the same no matter how the certificate was exported. It's embedded in the certificate itself and could not be changed automatically depending on how it was downloaded. There is no way your certificate would be missing that, unless you created it somewhere else (not on pfSense) or you are looking in the wrong place.

    Okay, now we are getting somewhere.  I downloaded the Viscosity.visc from the pfSense Client Export utility and ran the openssl command that you used and there is definitely a version number:

     openssl x509 -text -noout -in cert.crt
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
    
    

    I was originally opening the cert files with gedit as well as using the cat command and it just showed the certificate key…sorry, I was unaware you had to run that openssl command.  So any ideas why I still get incorrect version number?  I've tried OpenVPN for Android and OpenVPN Connect on Android but still same issue?


  • Rebel Alliance Developer Netgate

    I haven't seen that error with the Android OpenVPN client I use ( https://play.google.com/store/apps/details?id=de.blinkt.openvpn ), though mine has been working with that for years.

    Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.


  • Rebel Alliance Global Moderator

    I use my iphone and ipad both with the vpn client and have never seen such an issue.

    Maybe your just trying to use the wrong export.  For iphone/ipad use the openvpn connect (ios/android) one..

    I email the ovpn file and import it right on my phone or ipad..



  • @jimp:

    I haven't seen that error with the Android OpenVPN client I use ( https://play.google.com/store/apps/details?id=de.blinkt.openvpn ), though mine has been working with that for years.

    Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

    Is it because ca.crt is Version 4 and cert.crt is Version 3 (pulled from the Viscosity.visc file):

    openssl x509 -text -noout -in ca.crt
    Certificate:
        Data:
            Version: 4 (0x3)
            Serial Number: 2503200 (0x263220)
    
    

    Or are you referring to a different CA?

    find / -name "*.ca"
    /var/etc/openvpn/server2.ca
    /var/etc/openvpn/client1.ca
    
    

    The /var/etc/openvpn/client1.ca is my ExpressVPN setup and not relevant to this issue.

    openssl x509 -text -noout -in /var/etc/openvpn/server2.ca
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 0 (0x0)
    
    

    This is where I get confused.  For example, I have a ca.crt and a server2.ca; I don't understand how these two files interact (and why I need two of them) and why they appear to be similar files but the extensions are different…but that's just my ignorance.


  • Rebel Alliance Developer Netgate

    Where did you get that CA? Is it actually your own internal CA that you used to generate the server and client certificates?

    A CA created on pfSense still shows version 3. Looks like maybe you're using a public CA on there which is a bad idea for OpenVPN.



  • @jimp:

    Where did you get that CA? Is it actually your own internal CA that you used to generate the server and client certificates?

    A CA created on pfSense still shows version 3. Looks like maybe you're using a public CA on there which is a bad idea for OpenVPN.

    The ca.crt was in the Viscosity.visc bundle that I downloaded from the pfSense –> VPN --> OpenVPN --> Client Export utility.  The server2.ca is located on my pfSense box in: /var/etc/openvpn/


  • Rebel Alliance Developer Netgate

    But what is that  CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?



  • @jimp:

    But what is that  CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?

    I created everything in the pfSense –> Certficate Manager

    Here is pfSense --> VPN --> OpenVPN --> Servers:

    Refer to: Servers.png

    pfSense --> VPN --> OpenVPN --> Client Export

    Refer to: Client Export.png

    pfSense --> System --> Certificate Manager --> CAs

    Refer to: CA's.png

    pfSense --> System --> Certificate Manager --> Certificates

    Refer to: Certificates.png

    Does that help any?  I was trying to screen shot what I thought was relevant, I did this a long time ago and have not had any problems or interaction with this setup until now so I'm having trouble remembering.



    ![Client Export.png](/public/imported_attachments/1/Client Export.png)
    ![Client Export.png_thumb](/public/imported_attachments/1/Client Export.png_thumb)





  • @johnpoz:

    I use my iphone and ipad both with the vpn client and have never seen such an issue.

    Maybe your just trying to use the wrong export.  For iphone/ipad use the openvpn connect (ios/android) one..

    I email the ovpn file and import it right on my phone or ipad..

    Thanks for the reply, I was the same boat…never had an issue until now.  I also emailed the ovpn file to my device(s) and it would work great!  I'm running pfSense as a VM on Proxmox so I'm about ready to create a clone and start hacking it up in order to figure out what's going on.  I may just do a reinstall if I cannot figure it out because something has gone wrong.


  • Rebel Alliance Developer Netgate

    OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

    From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.



  • @jimp:

    OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

    From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

    When you say: "first CA" did you mean the ca.crt:

    openssl x509 -text -noout -in ca.crt
    Certificate:
        Data:
            Version: 4 (0x3)
            Serial Number: 2503200 (0x263220)
    

    If so that is actually the ca.crt file from the Viscosity.visc bundle that I downloaded from: pfSense –> VPN --> OpenVPN --> Client Export (the Client Export.png screenshot shows the download link (Viscosity Bundle), it's all the way on the right side of that screenshot).  That is definitely for my remote access and NOT for ExpressVPN.  I have always downloaded my files from the Client Export in the past and it worked but do you think you might be on to something as it does show a different version number than the other CA's?


  • Rebel Alliance Developer Netgate

    Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

    If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.



  • @jimp:

    Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

    If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.

    I was not trying to be difficult by not posting the rest of my certificate, I was just being cautious.  I generated new Certs and CA's in the Certificate Manager and all works great now!  Thank you for all your help as you pointed me in the right direction!  Now when I download the Viscosity.visc bundle and look at the version of ca.crt it says: Version 3.  Who knows what happened, maybe something during one of my pfSense upgrades as I have not touched those settings in a few years.  Thanks again!