Bug #11557
closed
OpenVPN fails in tls-validate after upgrading to PfSense 2.5
0%
Description
If OpenVPN server is configured with a "Certificate Depth" higher than 1, the /usr/local/sbin/ovpn_auth_verify will fail to verify the certificate. The for loop in ovpn_auth_verify script :
for check_depth in $(/usr/bin/seq ${3} -1 0)
do
eval serial="\$tls_serial_${check_depth}"
RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
done
doesn't break on the first success (so if the depth is set to 3 it will still check depth 0).
Updated by Jim Pingle about 3 years ago
- Status changed from New to Duplicate
Same root cause as #4521 (and a couple other similar issues that already exist)
Updated by Fold right about 3 years ago
I had the error fixed by setting a fixed "Certificate Depth" (check_depth=2) instead of looping over the sequence. I kept the same CA and same certificate so I don't think the long certificate subject is the issue here
Updated by Jim Pingle about 3 years ago
It's not the cert subject per se but the underlying issue of the data from OpenVPN not passing through fcgicli to PHP which is affecting both