Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: c-mu on September 26, 2019, 08:30:05 AM

Title: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: c-mu on September 26, 2019, 08:30:05 AM
Hi,
yesterday I have upgraded my slave node of my production HA Setup from 18.7.10_4. My master is still on 18.7.10_4. The OpenVPN and IPsec Site2Site tunnels are working but all my OpenVPN Server Services for Road Warriors won't start with the following error:

Code Select
Sep 25 20:49:46 openvpn[32795]: Exiting due to fatal error
Sep 25 20:49:46 openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (only 1 of 2 entries were valid X509 names)
Sep 25 20:49:46 openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (entry 2 did not validate)
Sep 25 20:49:46 openvpn[32795]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
Sep 25 20:49:46 openvpn[32795]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 25 20:49:46 openvpn[32795]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Sep 25 20:49:46 openvpn[31712]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Sep 25 20:49:46 openvpn[31712]: OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 10 2019

I'm wondering why it was working with 18.x?

Thanks for your time!
Title: Re: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: c-mu on September 26, 2019, 01:19:56 PM
I checked my CA Certificate with a SSL Decoder and everything looks fine  :o
Title: Re: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: c-mu on September 26, 2019, 02:48:49 PM
I tried to delete all Cert's and restore them from my backup, with no luck :/
Title: Re: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: banym on September 26, 2019, 02:52:17 PM
Do you have some special characters in cert names?

"only 1 of 2 entries were valid X509 names"
Title: Re: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: c-mu on September 26, 2019, 03:33:26 PM
Nope, no special characters, it's callend "company-vpn-cert" so the only "special" char's are the -
Title: Re: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: c-mu on September 27, 2019, 10:38:50 AM
I took a closer look to the server.ca files. What I see is, that each CA File contains two 100% identical certificate parts. Is that realy correct?

To verify that, I copied each part in seperate files and run a diff command about those. For further testing, I deleted one of the Cert Part but as soon as I start the VPN service, the file again has two identical certs.

And while I'm writing this, a took a look at my master Server and e voilĂ : It only has one cert Part included.

Look's like a bug?!
Title: Re: OpenVPN cannot load CA after Upgrade to 19.7.4
Post by: c-mu on September 27, 2019, 11:31:01 AM
I created a bug report here:
https://github.com/opnsense/core/issues/3729
Text only | Text with Images