Openvpn custom config + intermediate CAs: problem when config reloads
I struggled some days to get Openvpn working with intermediate CAs, with success, exept for the following problem.
These are the changes I made to make it work:
- modify the ca certificate into /var/etc/openvpn: the certificate must have the whole certificate chain
- modify the client file pkcs12 in order to have the root certificate and not the intermediate one
- modifiy depth of the chain allowed to 2
Unfortunately I noticed that after some time, openvpn restarted and re-applied its standard configuration taken from config.xml, re-changing the ca certificates and locking out every vpn user.
I digged into viconfig, but certificates are referenced in <caref>and <certref>with identifiers (hash?), so I am unable to modify directly the config content to set the right certificate. How can be added a path in <caref>?
Where are effective certificates stored? How config.xml can be modified to use a different certificate?
Thanks in advance,
indeed the link you sent me is one of the sources that I used to succeed in tuning openvpn with intermediate CAs,
but the problem I noticed remains (or maybe I missed something important from that post?).
How can I modify (manually, from shell) the openvpn configuration and then mantain those changes across reboots? How can I modify config.xml to use a specific certificate?
No idea. Re-reading the stale bug, I thought the best workaround was to upload both root and intermediate CA certs as one certificate in the Cert Manager, i.e.
<intermediate ca="" cert="" here="">-----END CERTIFICATE-----
<root ca="" cert="" here="">-----END CERTIFICATE-----</root></intermediate>
it succeeded: before I tried the same approach, but due to the concurrent presence of another problem (the missing change in depth, I suppose) I thought it was wrong… now it works.
Thanks a lot,