Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Logs Filling with openvpn: Found certificate…

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ieatfish
      last edited by

      In our OpenVPN section of the system logs, the message:

      openvpn: Found certificate /C=US/ST=***/L=***/O=***/emailAddress=IT@virticus.com***/CN=openvpn-ca with depth 1

      or one similar for our other certificates is appearing every 5-10 minutes. I don't recall this happening before the update we did last week to 2.0.1. Anyone know what would cause this?

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        does it have something todo with this ?

        Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197

        Notes for certificate generation vulnerability
        Certificates generated with the built-in certificate manager in all 2.0 versions prior to 2.0.1 are excessively permissive for non-CA certificates. These certificates can be used as a certificate authority, meaning a user can use their own certificate to create chained certificates. We have defaulted OpenVPN on 2.0.1 and newer versions to not accept chained certificates, which mitigates this. However, if untrusted users have certificates generated from 2.0 release, we suggest re-generating all your certificates and issuing new ones. Certificates generated by easy-rsa and imported into 2.0 are not affected.

        see release notes if this seems related

        1 Reply Last reply Reply Quote 0
        • I
          ieatfish
          last edited by

          Ah, I think that was it. I found a setting in the OpenVPN server settings called Certificate Depth. With that set to Do Not Check, those log entries have stopped appearing.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Actually that message is a bit of debug info that was left in there by accident. If you edit /etc/inc/openvpn.tls-verify.php and remove or comment out the line that prints that message, it will go away. It's harmless, but if you have a very busy server I could see it being annoying.

            https://github.com/bsdperimeter/pfsense/commit/aa291f197a71383b41ed2b54cc5177d143e70ab2

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • I
              ieatfish
              last edited by

              Oh, thanks. Will turning off the certificate check cause any issues down the road? I haven't noticed any problems and since the message is gone, I won't worry about it if it doesn't affect anything I care about.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                That commit didn't disable any checks, it just stops that line from logging

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.