OpenVPN site-to-site server certificate verification failing when using an external PKI
-
I've run into an issue trying to configure peer-to-peer (SSL/TLS) when using pfSense as a subordinate CA to an ADCS (Active Directory) CA.
Are there any caveats or reasons why using an external root CA doesn't work in this scenario?- ADCS CA is created
- ADCS creates a subordinate CA, the CA cert & key imported into pfSense at site A.
- Site A created a server cert signed by the above CA and uses it on an OpenVPN peer server.
When trying to connect, the client pfsense at site B always fails to connect with TLS Authenticatino Error. From the logs:
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=… OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
The issue seems to be the same with any of the processes below:
- Site B imports the ADCS CA and pfsense subordinate CA from site A seperately
- Site B imports the ADCS CA and pfsense subordinate CA as a chain
- A user cert(signed by the CA) is generated in site A and exported and imported into site B.
- A CSR for user cert is generated on site B and signed by site A
- The tunnel uses the ADCS CA as the peer certificate authority
- The tunnel uses the pfSense subordinate CA as the peer cert authority.
I instead exported the internal self-signed CA from site A, create a user cert and imported the CA and Cert into site B and it works. After some searching it seems that others have had the same issue.
This is the guide I've been using, I have a lot of experience already configuring shared key site tunnels and OpenVPN remote access servers, just Peer & PKI is new to me.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html