OpenVPN / Letsencrypt : unable to get issuer certificate

[CMogen]

OPNsense 25.1.1-amd64
FreeBSD 14.2-RELEASE-p1
OpenSSL 3.0.16

Hello all,

I've been fighting with this for a couple days now and I'm starting to question my own sanity. Every time I use a LE cert via ACME, I get:

Code Select Expand

VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=R11, serial=184083759606652600789093070426744763640
Feb 23 10:10:31 AM: OpenSSL: error:0A000086:SSL routines::certificate verify failed:
Feb 23 10:10:31 AM: TLS_ERROR: BIO read tls_read_plaintext error
When connecting with OpenVPN connect and also Viscosity. Two different Win10 machines.

This was happening in the last 24.x.x and also in 25.1.1. I've deleted/reissued the cert several times, nuked the OpenVPN instance and recreated it, un/reinstalled ACME client, along with everything mentioned in relevant forum posts:
https://forum.opnsense.org/index.php?topic=24973.0
https://forum.opnsense.org/index.php?topic=12060.0
https://forum.opnsense.org/index.php?topic=24950.0

Delete, add/import CA manually, change update repo/reinstall ACME, inline cert info in .ovpn, practically every VPN cert-related option (verify remote, verify client, depth, etc) I've honestly lost track at this point. I'm not seeing anything in (debug) logs pointing to any issues, everything seems to be happy, but clients are not getting the proper CA chain. I'm to the wipe/reinstall OPNsense on a Sunday afternoon desperation point, so I would appreciate any other options!

[bartjsmit]

Can you try with a Linux client such as WSL on Win 10? You can then run the OpenVPN binary with the client .ovpn in the foreground and get more diagnostics with:

openvpn --verb 4 myconfig.ovpn

[CMogen]

Apparently I'm having the exact issue described here:  https://forum.opnsense.org/index.php?topic=41943.msg206958#msg206958
Anchored post steps fixes the "cannot verify CA" part.

In trusts > certs, the ACME cert shows up as self-signed.
Edit cert > save (no changes) says "CA key not present"
Switch to create CSR > Import works. Cert now shows with LE CA. *however* Under Trust > Authorities, the LE CA shows up as self-signed, and no key present in edit properties. (pic)

Tested with Linux client verb4, dies with:

Code Select Expand

2025-02-24 15:39:51 us=578829 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2025-02-24 15:39:51 us=583757 OpenSSL: error:05800074:x509 certificate routines::key values mismatch:
2025-02-24 15:39:51 us=583815 Cannot load private key file [[INLINE]]
2025-02-24 15:39:51 us=583934 Error: private key password verification failed
2025-02-24 15:39:51 us=583997 Exiting due to fatal error

[CMogen]

Well, this has been an absolute nightmare. When performing the steps above, it seems to at least sync the cert with the issuer, but afterwards all cert options are greyed out except "Import cert (signed by CA)" like it's still waiting. No option to reissue, and I don't think the cert update is being pushed anywhere after the save.

I found the key/cert in /var/etc/openvpn/instance-xx.conf was still using the original (pre-create CSR/import above) pair. Restarting OpenVPN doesn't do anything, you have to change the cert to something else, then back to the same cert the instance was using to regenerate the proper config file.

Still getting a (different) TLS handshake error.. could this have something to do with when the original certs were generated, possibly on an older version https://forum.opnsense.org/index.php?topic=42220.msg209001#msg209001 ?

If so I'm just going to wipe this device and start over. If this is par for the course though, or the current state of PKI/trust/509/whatever, please let me know and maybe I'll put PF on it instead.

[CMogen]

Thanks for all the helpful replies and diagnostics. In the end I believe it was an installation issue. Apparently I downloaded the OPNsense installer instead of pfSense. Once the correct installer was used, ACME cert issuance breezed right through. Like a tumbleweed blowing through a ghost town. _/allegory