Multiple OpenVPN servers and CA/certificate problems



  • Hi.
    I'm in the process of upgrading a customer from an old version of pfsense and with multiple OpenVPN servers. I have been able to do the upgrade from 2.0 to 2.3.5 and finally to 2.4.5p1. Having some initial problems with the OpenVPN servers (three in total) I decided to delete all OpenVPN servers, all Certificates all CAs and import certs and create new OpenVPN servers. The issue I'm seeing is that the two of three VPN servers are refusing to start throwing the following error "Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 2 did not validate)"

    I have old CAs and certificates that I have imported (ca.crt, server.crt and server.key). Looking at the Certificate manager I see the following in CAs
    Certificate Manager - CAs
    And the Certificates look like this:
    Certificate Manager - Certificates

    The problem is that the latest configured OpenVPN server is working (server3).

    If I look at the files generated under: /var/etc/openvpn I notice that the all the *.cert and *.key files are correct, but only one of the three *.ca files. server3.ca which is the last imported CA is correct, but the two previous imported CAs include both the original CA plus the CA of server3. (basically means that the two non working OpenVPN servers hace CA files with multiple certificated which corrolates with what we are seeing in the Certificate Manager under CAs. To sum up:

    • CA for server 1 includes CA for server 1 and server 3
    • CA for server 2 includes CA for server 2 and server 3
    • CA for server 3 includes CA for only server 3 (listed as self-signed)

    What am I doing wrong? (or is this some kind of bug?) The triple OpenVPN setup was originally working with pfSense 2.0.

    Thanks in advance.


  • Rebel Alliance Developer Netgate

    You probably didn't give them unique enough subject lines, so it got confused about who signed what. There isn't enough detail to say anything more than that.



  • Thanks for the update @jimp
    Seems like the subject lines might be the same for all three servers.

    Any way to tell pfSense what keys is related to what CA?
    There are three different sets of keys.

    Best regards


  • Rebel Alliance Developer Netgate

    You are better off making a fresh set with unique subjects. Trying to use them when they overlap in that way is going to lead to nothing but confusion down the road.


Log in to reply