BUG? Internal certificates tagged as External



  • Hello there,

    I'm stuck with an issue with one of our pfsense installation.
    We are using OpenVPN and the package OpenVPN Client Export and get errors while trying to get a client configuration : "Could not locate the CA reference for the server certificate."

    After some look on internet, i checked on the Cert Manager to check the status of the Internal CA created to be used with OpenVPN only (CA still OK and expires date not until 2028) and to also check the status of all certificates issued with.
    All certs (have multiple openvpn servers on the same pfsense) have the status "External" and the certificates count for the CA is 0 (null)

    Screenshot of the CA page
    2020-04-01--14-11-16_0003.png

    Screenshot of the Certificates page
    2020-04-01--14-11-05_0002.png

    All certificates was created internally, no re-import, no re-install of the server. I'm able to export all certs and review them, they are signed by the internal CA but for an odd reason, pfSense seems to "unlink" them to it.

    I didn't tried to reboot the fw nor the openvpn instances to avoid any downtime (particulary in the current situation : lots of our people are working remotely)

    Any ideas of how can i resolve it without rebooting ? (not sure that it will fix it either)

    Many thanks in advance
    Kind regards


  • Rebel Alliance Developer Netgate

    The certificates have an internal identifier that they use to reference the CA. That ID must not be pointing to this CA.

    Did you happen to add another similar CA and then delete it?

    There are a couple ways you could fix it:

    1. Take a backup, look at the refid of the CA entry and then change the caref value on the certificates to match it, then restore the edited configuration.
    2. Export that CA, then import it again and match the old settings (especially be careful of the serial #), change your OpenVPN to use the new copy of the CA, then delete the old one.


  • Hello @jimp,

    Many thanks for your quick answer.
    I've checked the first point and the values in refid and caref are different.

    I will test this fix to another appliance to be certain that after rebooting it's loading correctly OpenVPN to avoid any "VPN Blackout" as it's being used by home workers actually.

    I will reply here the results.

    Many Thanks ;)

    Kind Regards



  • Hello @jimp,

    Sorry for my late reply. Lots to do and this issue was put on hold.

    Your 1st option was to good one.
    In the <cert> part for each certificate issued by the CA, the <caref> values were missing.

    I added the correct caref value on each certificate and re-import the backup file into pfSense. After e reboot, everything was fine.

    Thanks for your answer.

    Kind Regards


Log in to reply