OpenVPN CRL issuer error



  • Hi all, I have a pfSense 2.2.6 system successfully running a few site-to-site OpenVPN connections.
    The setup uses a 2 tier PKI infrastructure as follows:

    • Root CA installed in cert manager

    • Intermediate CA signed by Root in cert manager

    • OpenVPN client certs signed from Intermediate CA

    • OpenVPN server cert signed from Intermediate CA

    • Cert manager created the CRLs for the Root and Intermediate CAs

    The OpenVPN server has the Intermediate CA as the Peer CA and the Intermediate CA's CRL as the Peer CRL in the config.
    The clients all have a full certificate chain installed

    The VPN works fine but I get numerous logs complaining about:

    openvpn[24740]: vpn-client-1/xx.xxx.xxx.xxx:xxxxx CRL: CRL /var/etc/openvpn/server3.crl-verify is from a different issuer than the issuer of certificate <...intermeidate CA...>
    

    I can't quite figure out why I get this message? I've tried all possible combinations of CAs and CRLs in the Peer settings but no difference.

    Any help greatly appreciated.


Log in to reply