Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
OPNsense 18.7.4 - OpenVPN - Intermediate CA
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense 18.7.4 - OpenVPN - Intermediate CA (Read 2900 times)
uaw
Newbie
Posts: 1
Karma: 0
OPNsense 18.7.4 - OpenVPN - Intermediate CA
«
on:
October 07, 2018, 12:20:22 pm »
Hi there,
currently I am running a testenvironment with two OPNsense 18.7.4 machines. Machine A ist connected to the internet and simulates an internet provider for machine B. There is a LAN-A on one machine an a LAN-B on the other (likewise there are DMZs). In general this environment is running fine. I can work tunnels either LAN-LAn or RoadWarrior B to machine A as long as these tunnels are shared-key only.
Problem starts, when I work with certificates having a root-CA and an intermediate CA. The tunnel building will fail and return the error
...VERIFY ERROR: depth=2, error=self signed certificate in certificate chain
... .
However, if I change the involved certificates to not using an intermediate-CA (sole other change ist certificate depth set to 1) the tunnel works fine.
Conclusion: The combination of OPNsense and OpenVPN has a problem using certificates with intermediate-CAs.
Remark: I am aware, that there have been similar problems with pfSense in the past, so this ist probably not new. I found only very few related posts with google and nothing related within the forum.
Any experiences / comments? Is ist old stuff an me being blind? Am I reporting in the wrong place?
Any comment welcome.
Cheers, UAW.
Logged
getle87
Newbie
Posts: 5
Karma: 0
Re: OPNsense 18.7.4 - OpenVPN - Intermediate CA
«
Reply #1 on:
October 30, 2018, 01:28:28 pm »
Hello uaw,
I had same problem with intermediate CAs in my roadwarrior setup. In the pfsense bugtracker I found a solution. In the "System: Trust: Authorities" menu I edit the intermediate certificate data and add the root certificate after it, so there is the complete certificate chain in the intermediate CA, then the server could resolve the CA chain correctly. I think this is a bug or missing feature.
Greetings, getle87
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
OPNsense 18.7.4 - OpenVPN - Intermediate CA