OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: uaw on October 07, 2018, 12:20:22 pm

Title: OPNsense 18.7.4 - OpenVPN - Intermediate CA
Post by: uaw on October 07, 2018, 12:20:22 pm
Hi there,
currently I am running a testenvironment with two OPNsense 18.7.4 machines. Machine A ist connected to the internet and simulates an internet provider for machine B. There is a LAN-A on one machine an a LAN-B on the other (likewise there are DMZs). In general this environment is running fine. I can work tunnels either LAN-LAn or RoadWarrior B to machine A as long as these tunnels are shared-key only.

Problem starts, when I work with certificates having a root-CA and an intermediate CA. The tunnel building will fail and return the error ...VERIFY ERROR: depth=2, error=self signed certificate in certificate chain... .

However, if I change the involved certificates to not using an intermediate-CA (sole other change ist certificate depth set to 1) the tunnel works fine.

Conclusion: The combination of OPNsense and OpenVPN has a problem using certificates with intermediate-CAs.

Remark: I am aware, that there have been similar problems with pfSense in the past, so this ist probably not new. I found only very few related posts with google and nothing related within the forum.

Any experiences / comments? Is ist old stuff an me being blind? Am I reporting in the wrong place?

Any comment welcome.

Cheers, UAW.
Title: Re: OPNsense 18.7.4 - OpenVPN - Intermediate CA
Post by: getle87 on October 30, 2018, 01:28:28 pm
Hello uaw,

I had same problem with intermediate CAs in my roadwarrior setup. In the pfsense bugtracker I found a solution. In the "System: Trust: Authorities" menu I edit the intermediate certificate data and add the root certificate after it, so there is the complete certificate chain in the intermediate CA, then the server could resolve the CA chain correctly. I think this is a bug or missing feature.

Greetings, getle87