Openvpn custom config + intermediate CAs: problem when config reloads



  • Hi everybody.

    I struggled some days to get Openvpn working with intermediate CAs, with success, exept for the following problem.

    These are the changes I made to make it work:

    • modify the ca certificate into /var/etc/openvpn: the certificate must have the whole certificate chain
    • modify the client file pkcs12 in order to have the root certificate and not the intermediate one
    • modifiy depth of the chain allowed to 2

    Unfortunately I noticed that after some time, openvpn restarted and re-applied its standard configuration taken from config.xml, re-changing the ca certificates and locking out every vpn user.

    I digged into viconfig, but certificates are referenced in <caref>and <certref>with identifiers (hash?), so I am unable to modify directly the config content to set the right certificate. How can be added a path in <caref>?

    Where are effective certificates stored? How config.xml can be modified to use a different certificate?

    Thanks in advance,

    Diego</caref></certref></caref>


  • Banned



  • Hi doktornotor,

    indeed the link you sent me is one of the sources that I used to succeed in tuning openvpn with intermediate CAs,
    but the problem I noticed remains (or maybe I missed something important from that post?).

    How can I modify (manually, from shell) the openvpn configuration and then mantain those changes across reboots? How can I modify config.xml to use a specific certificate?

    Thanks,

    Diego


  • Banned

    No idea. Re-reading the stale bug, I thought the best workaround was to upload both root and intermediate CA certs as one certificate in the Cert Manager, i.e.

    –---BEGIN CERTIFICATE-----
    <intermediate ca="" cert="" here="">-----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <root ca="" cert="" here="">-----END CERTIFICATE-----</root></intermediate>



  • Hi doktornotor,

    it succeeded: before I tried the same approach, but due to the concurrent presence of another problem (the missing change in depth, I suppose) I thought it was wrong… now it works.

    Thanks a lot,

    Diego


Log in to reply