Show Posts
1
18.7 Legacy Series / OPNsense 18.7.4 - OpenVPN - Intermediate CA
« on: October 07, 2018, 12:20:22 pm »
Hi there,
currently I am running a testenvironment with two OPNsense 18.7.4 machines. Machine A ist connected to the internet and simulates an internet provider for machine B. There is a LAN-A on one machine an a LAN-B on the other (likewise there are DMZs). In general this environment is running fine. I can work tunnels either LAN-LAn or RoadWarrior B to machine A as long as these tunnels are shared-key only.
Problem starts, when I work with certificates having a root-CA and an intermediate CA. The tunnel building will fail and return the error ...VERIFY ERROR: depth=2, error=self signed certificate in certificate chain... .
However, if I change the involved certificates to not using an intermediate-CA (sole other change ist certificate depth set to 1) the tunnel works fine.
Conclusion: The combination of OPNsense and OpenVPN has a problem using certificates with intermediate-CAs.
Remark: I am aware, that there have been similar problems with pfSense in the past, so this ist probably not new. I found only very few related posts with google and nothing related within the forum.
Any experiences / comments? Is ist old stuff an me being blind? Am I reporting in the wrong place?
Any comment welcome.
Cheers, UAW.
currently I am running a testenvironment with two OPNsense 18.7.4 machines. Machine A ist connected to the internet and simulates an internet provider for machine B. There is a LAN-A on one machine an a LAN-B on the other (likewise there are DMZs). In general this environment is running fine. I can work tunnels either LAN-LAn or RoadWarrior B to machine A as long as these tunnels are shared-key only.
Problem starts, when I work with certificates having a root-CA and an intermediate CA. The tunnel building will fail and return the error ...VERIFY ERROR: depth=2, error=self signed certificate in certificate chain... .
However, if I change the involved certificates to not using an intermediate-CA (sole other change ist certificate depth set to 1) the tunnel works fine.
Conclusion: The combination of OPNsense and OpenVPN has a problem using certificates with intermediate-CAs.
Remark: I am aware, that there have been similar problems with pfSense in the past, so this ist probably not new. I found only very few related posts with google and nothing related within the forum.
Any experiences / comments? Is ist old stuff an me being blind? Am I reporting in the wrong place?
Any comment welcome.
Cheers, UAW.