Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple OpenVPN servers and CA/certificate problems

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 927 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      H4537H
      last edited by H4537H

      Hi.
      I'm in the process of upgrading a customer from an old version of pfsense and with multiple OpenVPN servers. I have been able to do the upgrade from 2.0 to 2.3.5 and finally to 2.4.5p1. Having some initial problems with the OpenVPN servers (three in total) I decided to delete all OpenVPN servers, all Certificates all CAs and import certs and create new OpenVPN servers. The issue I'm seeing is that the two of three VPN servers are refusing to start throwing the following error "Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 2 did not validate)"

      I have old CAs and certificates that I have imported (ca.crt, server.crt and server.key). Looking at the Certificate manager I see the following in CAs
      Certificate Manager - CAs
      And the Certificates look like this:
      Certificate Manager - Certificates

      The problem is that the latest configured OpenVPN server is working (server3).

      If I look at the files generated under: /var/etc/openvpn I notice that the all the *.cert and *.key files are correct, but only one of the three *.ca files. server3.ca which is the last imported CA is correct, but the two previous imported CAs include both the original CA plus the CA of server3. (basically means that the two non working OpenVPN servers hace CA files with multiple certificated which corrolates with what we are seeing in the Certificate Manager under CAs. To sum up:

      • CA for server 1 includes CA for server 1 and server 3
      • CA for server 2 includes CA for server 2 and server 3
      • CA for server 3 includes CA for only server 3 (listed as self-signed)

      What am I doing wrong? (or is this some kind of bug?) The triple OpenVPN setup was originally working with pfSense 2.0.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You probably didn't give them unique enough subject lines, so it got confused about who signed what. There isn't enough detail to say anything more than that.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • H
          H4537H
          last edited by

          Thanks for the update @jimp
          Seems like the subject lines might be the same for all three servers.

          Any way to tell pfSense what keys is related to what CA?
          There are three different sets of keys.

          Best regards

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You are better off making a fresh set with unique subjects. Trying to use them when they overlap in that way is going to lead to nothing but confusion down the road.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.