Project

General

Profile

Actions

Bug #2800

closed

OpenVPN doesn't work properly with intermediate/chained CAs

Added by Malte Stretz almost 12 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
02/07/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

There are two places where working with chained certificates is broken or at least weird. Background: OpenVPN always needs the whole CA chain in the --ca setting. It will also verify the client cert against the whole chain but that's not a pfSense problem.

So I've got this config: Created a Root CA with the pfSense Cert Manager. Created a VPN Intermediate CA with the Cert Manager. Created the OpenVPN server Cert within that CA and also the client certs.

In The OpenVPN settings I selected the Intermediate CA as the Peer Certificate Authority etc. I exported the client config with the OpenVPN Client Export Utility.

First issue: The OpenVPN Client Export Utility doesn't include the Root CA in the exported config thus the client will fail to connect. (Since I don't know if that package is an official pfSense package, this might be the wrong place to report this but this should be rather easy to fix.) It will fail with

VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=DE/ST=HH/L=HH/O=Example_GmbH/emailAddress=/CN=Example_VPN_CA__pfSense_

Second (more important) issue: Once the previous one is fixed manually, the server will also fail to verify the client cert with

VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: /C=DE/ST=HH/L=HH/O=Example_GmbH/emailAddress=/CN=Example_Root_CA__pfSense_

If I set the Peer Certificate Authority to the Root CA, it looks like ti works (I have LDAP auth issues now but that's more than before).

This behaviour is at least weird/unintuitive and hard to debug. pfSense should either generate a proper chained cert if you select an Intermediate CA (preferred) or keep me from selecting one.

This is pfSense 2.0.2.

Actions

Also available in: Atom PDF