OpenVPN CRL issuer error
Hi all, I have a pfSense 2.2.6 system successfully running a few site-to-site OpenVPN connections.
The setup uses a 2 tier PKI infrastructure as follows:
Root CA installed in cert manager
Intermediate CA signed by Root in cert manager
OpenVPN client certs signed from Intermediate CA
OpenVPN server cert signed from Intermediate CA
Cert manager created the CRLs for the Root and Intermediate CAs
The OpenVPN server has the Intermediate CA as the Peer CA and the Intermediate CA's CRL as the Peer CRL in the config.
The clients all have a full certificate chain installed
The VPN works fine but I get numerous logs complaining about:
openvpn: vpn-client-1/xx.xxx.xxx.xxx:xxxxx CRL: CRL /var/etc/openvpn/server3.crl-verify is from a different issuer than the issuer of certificate <...intermeidate CA...>
I can't quite figure out why I get this message? I've tried all possible combinations of CAs and CRLs in the Peer settings but no difference.
Any help greatly appreciated.