VPN Certificate Error

[superwinni2]

Hello,

I've got a OPNsense with Version 19.1.1 and need some help with configuring some VPN Servers with SSL/TLS and SSL/TLS with User/Password.

Sorry for my bad English... I'm a native German speaker  ;D

What I did already:
OPNsense installed and configured (IPs etc).
Created a (main) CA (Haupt means main in English)

Code Select Expand

2048,SHA256,365,CN = Haupt-CA,E = support@test.com,O= Pri,L = Zuh,S = BW,C = DE
Created a intermediate CA from main CA (Unter means sub)

Code Select Expand

2048,SHA256,365,CN = UnterCA,E = support@test.com,O = Priv,L = Zuh,S = BW,C = DE
After that I created a server certificate for the VPN Server.

Now I want to create an OVPN Server with the following settings:

Code Select Expand

Server Mode: Remote Access (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: Any
Local Port: 1175
TLS Authentication: Check "Enable authentication of TLS packets" and Automatically generate a shared TLS authentication key"
Peer Certificate Authority: UnterCA
Server Certificate: VPN-Server-Cert (UnterCA)
DH: 2048 bit
Encryption algorithm: AES128-CBC
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Certificate Depth: Do Not Check

IPv4 Tunnel Network: 10.100.140.0/24
IPv4 Local Network: 10.100.100.0/24
Disable IPv6: Check

Dynamic IP: Check
Address Pool: Check
DNS Default Domain: test.test
DNS Server 10.100.100.64

Everything is default or empty.

After this I created a User and create and signed a certificate from "UnterCA".


Now my Error:
I can export the OVPN config file and also can start it. But I get the following error in server log:

Code Select Expand

openvpn[75278]: xxx.xxx.xxx.xxx VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=DE, ST=BW, L=Zuh, O=Pri, emailAddress=support@test.com, CN=HauptCA
and on client:

Code Select Expand

TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

More information's:
If i change peer certificate Authority to "HauptCA" the connection works but I can't export any configs....

Now the big question....
Where is my fault?
I want / need that certificate structure cause in productive environment the "HauptCA" is a external server. But it's exactly the same error if the MainCA is on the OPNsense or not....

I already set up some VPN servers but this one won't work  :-[

Thanks a lot for helping
Greetings from Germany

[qinohe]

Hi there,

After this I created a User and create and signed a certificate from "UnterCA".

Try again, use the CA and not the sub CA..

Greetings, mark

[superwinni2]

Hi mark

but I don't want to use the CA. In productive environment I don't want to sign users with my "RootCA".
For that it would be necessary to always start the CA server, create the user and a certificate and so on... 
Another reason why I want this is what happens when the (Sub)CA is going to be invalid (compromised) and so on...

Is there any other way?

[qinohe]

Yes, there's another way, I wont type it up here but give you the link to a post, then you follow the steps in the first post and use the patch from github if it doesn't work for you.
The patch will be available in 19.2

https://forum.opnsense.org/index.php?topic=11601.0

[superwinni2]

But the patch is for another error or am I seeing it wrong?
He gets a "unable to get issuer certificate" error and
I get a "self signed certificate in certificate chain" error...

Even my constroct looks like this:

Code Select Expand

               
                 :                        :
                 :                        :
                 :                        :
            .----+----.               .----+----.
            |Usercerts|              |  SSLCerts |
            '----+----'               '----+----'
                 |                        |
                 |                        |
                 |                        |
            .----+----.              .----+----.
            |  OPNCA  |              | WinCA   |
            '----+----'              '----+----'
                 |                        |
                 |      .----------.      |
                 +------| Root-CA |------+
                        '----+-----'


[qinohe]

I didn't say use the patch, use the patch if it doesn't work for you  ;) , there's a slight difference...
Anyway try and follow the path he does and you are probably using a chain that doesn't use the CA directly.
After that come here with complaints if it doesn't work so we can further troubleshoot what went wrong..

For sure you are not able to create that chain with your current setup, at least not that I know of..

[superwinni2]

I don't know what you want from me -.-  :-X  :-\

But I can tell you that my problem sounds very different that that from the link...
I got the following structure: (now a little bit nicer)

Code Select Expand

                                 +----------------+
                                 |                |
                                 |    Haupt-CA    |
                                 |                |
                                 +--------+-------+
                                          |
                                          |
                           +--------------+---+-------------------+ + + + + + + + +
                           |                  |                   |
                           |                  |                   |
                    +------+-------+   +------+-------+   +-------+--------+
                    |              |   |              |   |                |
                    |  OpenVPN-CA  |   |  Windows-CA  |   |  Other Sub-CA  |
                    |              |   |              |   |                |
                    +-+----+-------+   +--------------+   +----------------+
                      |    |
                      |    |
                      |    |
+---------------------+-+  |
|                       |  |
|  OpenVPN-Server-Cert  |  |
|                       |  |
+-----------------------+  |
                           |
          +-------------+  |
          |             |  |
          |  User Cert  +--+
          |             |
          +-------------+


I just want to only have one Sub-CA From the RootCA (Haupt-CA) and not two for the opnsense....

[qinohe]

With you current chain, you can't do what you like, and is giving you errors if you connect
If you follow only the path from the OP in the linked post, you should have what you want, a user cert. not chained to the root CA, unless something else is off, this should work.

If not then someone else may have a hint, but this is what I know you can do.

[newsense]

@superwinni2

There's a bug to be fixed in 19.1.2, likely in the next few days. No need to change anything in the meantime

[franco]

Are you sure it is the correct bug? The one you loosely mention (no reference to double-check) has been in the system for years so jumping to conclusions is misleading and maybe even discouraging.

[newsense]

It surely looked like the issue described here at first, but I may have misread it. Apologies for not posting the reference:

https://forum.opnsense.org/index.php?topic=11601.0

[superwinni2]

Hi guys

I created a own "RootCA" and do it now with it.