Client Export fails after upgrade to 2.5.2 / 2.6

kitdavis · May 1, 2022, 3:19 PM

I have a number of pfsense firewalls running at a number of different clients. I use openvpn for admin work when I am remote. (and ipsec from my office). The openvpn servers were created years ago and have worked through many upgrades to PFSense. Recently I needed to add a client to one of the servers and discovered that when I try to use the client export I get the following error. "A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used." I have two firewalls that are still at 2.4.4p3 and the client export works without a problem. I have searched the forum and other sources and I can not find any information on where the private key is stored/created. I completely removed the openvpn configuration on one firewall, including the CA and related certificates, ran the OpenVPN wizard accepting the default values and get the same error when trying to export the client configuration - I have checked the system logs and can find no associated error. I am sure I am missing something simple, is there some documentation that deals with this error?

kitdavis · May 2, 2022, 2:23 PM

I deleted all of the OPENVPN settings, rules, CA and certificates, backed up my office firewall, reinstalled 2.6 and then used the wizard to create a new OpenVPN server along with new certificates etc. I created a new user, and the client export again fails with the exact same message. I question if the client export tool works for any 2.6 installation? I have a simple installation at a remote site. When I am next there I am going to do a "from scratch" installation and see if the client export tool works with a completely new installation.

kitdavis · May 2, 2022, 5:50 PM

The problem with Client Export only occurs when the server mode is set to: Remote Access (SSL/TLS + User Auth). If the mode is set to Remote Access (SSL/TLS) or Remote Access (User Auth) then the client export works but the resulting configuration cannot be used to connect via openVPN.

sgw · Jun 13, 2022, 1:18 PM

I also see this issue and would like to learn about a solution.
We use our own server certificate etc and need to have a working config for the clients (we combine LDAP auth plus server/client TLS checking). We run 22.01.

sgw · Jun 13, 2022, 1:45 PM

This is this issue, right?

sgw · Jun 13, 2022, 2:09 PM

@kitdavis said in Client Export fails after upgrade to 2.5.2 / 2.6:

The problem with Client Export only occurs when the server mode is set to: Remote Access (SSL/TLS + User Auth). If the mode is set to Remote Access (SSL/TLS) or Remote Access (User Auth) then the client export works but the resulting configuration cannot be used to connect via openVPN.

@kitdavis did you find a workaround? Could you share a client config example?

kitdavis · Jun 13, 2022, 3:07 PM

@sgw Yes, or at least related to it.

kitdavis · Jun 13, 2022, 3:17 PM

@sgw Actually, I misspoke in my earlier comment - the Remote Access (SSL/TLS) does work if the server is likewise configured. I originally tried to generate the Remote Access (SSL/TLS) client and use that to connect to the original server configuration. (Remote Access (SSL/TLS + User Auth)) It doesn't work, and obviously shouldn't. Likewise changing the server mode to just RA (SSL/TLS) and using the original client configurations also doesn't work. Setting the server mode the just RA(SSL/TLS) does work with the clients that have been exported with the same mode. My problem, like I am sure others have, is I have dozens of remote clients that use OpenVPN to connect and I don't want to go through the process of walking 30 or 40 users through the process to upgrade their client.

sgw · Jun 13, 2022, 6:13 PM

@kitdavis could you explain, why "(SSL/TLS + User Auth)" should not work? Why does that option exist then? Maybe I misunderstand.

What we would like to have: client certs plus user authentication. The certs come from the company's CA, not from an internal pfsense CA. We would also like to avoid having to import dozens of client certs or something.

kitdavis · Jun 13, 2022, 6:27 PM

@sgw Sorry for the confusion - I meant that having the server in one mode (RA (SSL/TLS + User Auth) and the client exported in a different mode RA (SSL/TLS) doesn't work. I too want the to utilize the client authorization as well.

sgw · Jun 14, 2022, 4:41 AM

@kitdavis How would you get the different mode? I don't see the choice to set something like "SSL/TLS + User Auth" (or else) in "Client Export".

Dave Street · Aug 15, 2022, 11:03 PM

@sgw are there any updates on this yet. I have 2 new users I need to add but am unable to export. I like others on here don't want to go through having to re do 30 users just to add 2 :(

sgw · Aug 22, 2022, 3:00 PM

@dave-street unsure what to reply. I have pfsense and OpenVPN authenticated against 2 LDAP backends now. Seems to work although the customer hasn't tested much yet. I can use my tunnel fine, using a user in LDAP.

Do you need a config snippet? or ... ?

Dave Street · Aug 22, 2022, 3:00 PM

@sgw I guess I have the same config as @kitdavis, Server Mode is Remote Access (SSL/TLS + User Auth), I suspect that if like others have stated I change the Server Mode, Remote Access to SSL/TLS the export will then work, but I will have to re-export all my other users. I was hoping not having to do this. Thanks,

Dave Street · Oct 31, 2022, 6:18 PM

I'm still having this issue and was hoping somebody has come up with a fix.. I try to export a new user and this is the error I get...
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
Failed to export config files!

I get the same error if I try to export from an older user or anything, for example "config file only" I'm going to have to change the server mode to SSL/TLS but will I get to see which clients are connected if I do this? I have PFsense and OpenVPN authenticated against the local database. All prior users is working fine, I just cannot export new or even current users since the upgrade to 2.6

rcoleman-netgate · Oct 31, 2022, 7:49 PM

@dave-street have you checked your OVPN server's SSL cert to make sure there's a PEM value?

Dave Street · Oct 31, 2022, 10:10 PM

@rcoleman-netgate Yes there is a x.509 PEM, certificate and private key data are both filled in.

professor · Nov 3, 2022, 9:52 AM

In my case it looks like the problem is version 1.6_5

I am currently testing multiple setups. Both running 2.6.0, but the last system i set up is running 1.6_5, and here i get the same error as you do.

The following input errors were detected:

A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
Failed to export config files!

The working system runs 1.6_4 of openvpn-client-export. Here it works just fine.

professor · Nov 3, 2022, 10:05 AM

Just upgraded the working system to 1.6_5, and guess what:

NilsonFarias · Nov 3, 2022, 12:01 PM

@professor The same happened to me! Do we already have a solution?