pfSense

Establishing OpenVPN tunnel will always fail if "Check client certificates with OCSP" enabled.
OpenVPN will call "ovpn_auth_veryfy" script for each certificate requires validation in the process creating variable "tls_serial_x" where x is certificate number in the chain however validating CA certificate fails as serial number for that certificate set as number 1 and number 0 is empty.
Script must have validation for empty string and ignore it as provided in OpenVPN example script, also validation must happen inside the loop and loop must exit on the first failure. Here's example of code modified by me and tested in my environment:

do
eval serial="\$tls_serial_${check_depth}"
if [ -n "$serial" ]; then
RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
if [ "${RESULT}" = "FAILED" ]; then
exit 1
fi
fi
done

In this case all the certificates in the chain will be validated and empty certificate serial number ignored and only if all checks are successful result will be 0.

Note: This issue is the same as #11557 (https://redmine.pfsense.org/issues/11557#change-51674), however that one was identified as a duplicate, it is not.