Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BUG? Internal certificates tagged as External

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 485 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      ndyserinck
      last edited by ndyserinck

      Hello there,

      I'm stuck with an issue with one of our pfsense installation.
      We are using OpenVPN and the package OpenVPN Client Export and get errors while trying to get a client configuration : "Could not locate the CA reference for the server certificate."

      After some look on internet, i checked on the Cert Manager to check the status of the Internal CA created to be used with OpenVPN only (CA still OK and expires date not until 2028) and to also check the status of all certificates issued with.
      All certs (have multiple openvpn servers on the same pfsense) have the status "External" and the certificates count for the CA is 0 (null)

      Screenshot of the CA page
      2020-04-01--14-11-16_0003.png

      Screenshot of the Certificates page
      2020-04-01--14-11-05_0002.png

      All certificates was created internally, no re-import, no re-install of the server. I'm able to export all certs and review them, they are signed by the internal CA but for an odd reason, pfSense seems to "unlink" them to it.

      I didn't tried to reboot the fw nor the openvpn instances to avoid any downtime (particulary in the current situation : lots of our people are working remotely)

      Any ideas of how can i resolve it without rebooting ? (not sure that it will fix it either)

      Many thanks in advance
      Kind regards

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        The certificates have an internal identifier that they use to reference the CA. That ID must not be pointing to this CA.

        Did you happen to add another similar CA and then delete it?

        There are a couple ways you could fix it:

        1. Take a backup, look at the refid of the CA entry and then change the caref value on the certificates to match it, then restore the edited configuration.
        2. Export that CA, then import it again and match the old settings (especially be careful of the serial #), change your OpenVPN to use the new copy of the CA, then delete the old one.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N Offline
          ndyserinck
          last edited by

          Hello @jimp,

          Many thanks for your quick answer.
          I've checked the first point and the values in refid and caref are different.

          I will test this fix to another appliance to be certain that after rebooting it's loading correctly OpenVPN to avoid any "VPN Blackout" as it's being used by home workers actually.

          I will reply here the results.

          Many Thanks ;)

          Kind Regards

          1 Reply Last reply Reply Quote 0
          • N Offline
            ndyserinck
            last edited by

            Hello @jimp,

            Sorry for my late reply. Lots to do and this issue was put on hold.

            Your 1st option was to good one.
            In the <cert> part for each certificate issued by the CA, the <caref> values were missing.

            I added the correct caref value on each certificate and re-import the backup file into pfSense. After e reboot, everything was fine.

            Thanks for your answer.

            Kind Regards

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.