OpenVPN users don't show up for export in 2.0.1

  • When using the Client Export Utility, no users show up. This is a fresh 2.0.1 NetGate box. I created a CA, set that CA as the CA for the OpenVPN utility (CA was created using OpenVPN Wizard). I edited the "admin" user and checked the "Create a certificate" box and set common name to "admin" and days to 1095, and saved. No client certificate is generated.

    So I generated a new certificate manually (from Cert Manager) from the CA I created with the same details. The certificate shows up in Cert Manager but the Users download area is still blank for the OpenVPN Client Export page.

    I've done this on like 20 pfSense installations before, I've double-checked everything, so unless I'm blind or my brain is scrambled (I got a good night's sleep last night though :-) there seems to be a bug in the 2.0.1 certificate/OpenVPN Client Export code, possibly related to the certificate checking changes in the 2.0.1 update? Or something else, but it's not working! Any thoughts?

  • OK nevermind. I had a second OpenVPN tunnel set up (site to site) and I changed that to Shared Key and all of a sudden things started working. Must have been a conflict between the two tunnels' configurations (one remote worker and one site-to-site). Still possibly a bug (at least that it allows the config of two tunnels that doesn't work properly, with no warnings) but it's not preventing what I'm trying to do now :-)

  • OK nevermind, bug is back :-) But a little different:

    If I set the OpenVPN tunnel to Remote Access (SSL/TLS) then I get the download in Client Export, and it works, but doesn't prompt for a username/password (correct).
    If I set the OpenVPn tunnel to Remote Access (SSL/TLS + User Auth) then I get NO usernames listed to download. However, I assume this is related to not being able to generate a certificate for the user from User Manager, and the manually-generated one (even with the same CN as the username) is not being linked to the user, so it's not showing any certificates available. Any ideas why I can't auto-generate a User certificate from User Manager?

  • OK one more update. If I create a NEW user, not named admin, I can generate a user certificate (at least as part of the new user creation process) just fine, and it works. If I edit the admin user, and click the Generate certificate box and fill out the details, NO certificate is generated or linked to the user.

  • Rebel Alliance Developer Netgate

    I'm not sure making an admin cert has never been supported, probably a way of actively discouraging using the firewall administrator's credentials for anything other than the firewall…

  • I don't know that I've ever noticed it not working before, but it failing silently is a bug. Either the UI should not let me try and generate an admin cert, or it should return a warning, or something. When it works perfectly except nothing happens, you get forum posts like this and I waste 30+ minutes trying to figure it out :-)

  • Rebel Alliance Developer Netgate

    Actually it looks like this was a simple case of an incorrect variable test. It was testing if ($var) which was failing because the uid was 0, when it should have been checking with isset() or is_numeric.

    It's fixed now, and the same bug was also keeping it from showing admin's effective permissions so that's fixed too.

  • Awesome, I feel useful again! :-) Thank you. That was easy enough I should have dug into the code and submitted a patch to say I've actually done dev work :-)

Log in to reply