Multiple OpenVPN servers and CA/certificate problems

H4537H · Jun 11, 2020, 8:02 PM

Hi.
I'm in the process of upgrading a customer from an old version of pfsense and with multiple OpenVPN servers. I have been able to do the upgrade from 2.0 to 2.3.5 and finally to 2.4.5p1. Having some initial problems with the OpenVPN servers (three in total) I decided to delete all OpenVPN servers, all Certificates all CAs and import certs and create new OpenVPN servers. The issue I'm seeing is that the two of three VPN servers are refusing to start throwing the following error "Cannot load CA certificate file /var/etc/openvpn/server2.ca (entry 2 did not validate)"

I have old CAs and certificates that I have imported (ca.crt, server.crt and server.key). Looking at the Certificate manager I see the following in CAs

And the Certificates look like this:

The problem is that the latest configured OpenVPN server is working (server3).

If I look at the files generated under: /var/etc/openvpn I notice that the all the *.cert and *.key files are correct, but only one of the three *.ca files. server3.ca which is the last imported CA is correct, but the two previous imported CAs include both the original CA plus the CA of server3. (basically means that the two non working OpenVPN servers hace CA files with multiple certificated which corrolates with what we are seeing in the Certificate Manager under CAs. To sum up:

CA for server 1 includes CA for server 1 and server 3
CA for server 2 includes CA for server 2 and server 3
CA for server 3 includes CA for only server 3 (listed as self-signed)

What am I doing wrong? (or is this some kind of bug?) The triple OpenVPN setup was originally working with pfSense 2.0.

Thanks in advance.

jimp · Jun 15, 2020, 7:20 PM

You probably didn't give them unique enough subject lines, so it got confused about who signed what. There isn't enough detail to say anything more than that.

H4537H · Jun 15, 2020, 8:17 PM

Thanks for the update @jimp
Seems like the subject lines might be the same for all three servers.

Any way to tell pfSense what keys is related to what CA?
There are three different sets of keys.

Best regards

jimp · Jun 16, 2020, 12:28 PM

You are better off making a fresh set with unique subjects. Trying to use them when they overlap in that way is going to lead to nothing but confusion down the road.