OpenVPN Instances strict cn matching wont work

[jensl]

Hey,
i am troubled and dont find any way to solve this issues, so maybe someone here can give me a clue what i am doing wrong:

I did create an new instances for an openvpn server and i wanted to activate the strict cn matching feature, but when i do i cant connect:
Client gets an Auth Error
and the Log shows me the following:
Username does not match certificate common name (vpn_jensl != ), access denied.

I am very confused because my username is matching the common name (vpn_jensl) even the description of the cert
any ideas where to look deeper into that issue?
thx!

[Fabian Wenk]

I manage an installation with OpenVPN Server for users where the "Strict User/CN Matching" is set to Yes. In that case all usernames are only with lowercase letters (a - z, no special characters or umlauts or such), and of course with identical CN in the certificate. The description of the certificate is different.

Can you try with an username without the "_", because I think that may not work as a CN in the certificate?

[jensl]

Hey sorry for the late response, i didnt got an notifaction from the board, i created an new account named vpnadmintest (no cases, no special characters and no underscores or anything) - still get the same error,
i created the cn without any changes (clicked search certificates for that user and then created an new one - so the cn should be matching shouldnt it?

Code Select Expand

Warningopenvpn Username does not match certificate common name (vpnadmintest != ), access denied.

[Fabian Wenk]

Please check the details of the certificate itself. In System / Trust / Certificates you get the list of all certificates. Click the (i) button on the right and the certificate content will be shown as text.

Look for the line starting with "Subject:" an then what the 'CN = ' part is showing. If this is not 'vpnadmintest' and something else, but it is what you have entered as Common Name into the certificate.

[jensl]

hey just checked the cn it looks tootaly fine:

Code Select Expand

        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = DE, ST = state, L = city, O = firm, CN = New_Medico_VPNCA2
        Validity
            Not Before: Jun 11 13:42:53 2025 GMT
            Not After : Jul 13 13:42:53 2026 GMT
        Subject: C = DE, ST = state, L = city, O = firm,, CN = vpn_jensl



[Fabian Wenk]

No, not quite. You mention that you created an user 'vpnadmintest', but the output from your certificates clearly states 'CN = vpn_jensl'.

But there is something else which is more concerning and could be the problem of the whole issue you have, look closely at this part:
'O = firm,, CN ='
I wonder from where this additional ',' (comma) just after 'firm' is from? But I guess that you manually replaces the content for ST, L, and O. But if for any reason there may be a comma in one of the original entries, I guess this may cause an issue with parsing out the CN entry.

[jensl]

sorry my fault - i copied the wrong one:

Code Select Expand

        Issuer: C = DE, ST = State, L = CITY, O = FIRM e.V., CN = New_FIRM_VPNCA2
        Validity
            Not Before: Sep 11 13:41:55 2025 GMT
            Not After : Jul 25 13:41:55 2036 GMT
        Subject: C = DE, ST = State, L = CITY, O = FIRM e.V., CN = vpnadmintest
the comma was an copy error - but two things confusing me: the ca cn has _ in it - also the firm name has dots in it -> maybe there is a problem?

[Fabian Wenk]

Good question, the CA I had created for the OpenVPN usage did not had dots (.) or underscore (_) in any of the fields in the subject.

The Issuer was like this:
C = Switzerland, ST = Zurich, L = Zurich, O = Company Ltd, CN = Company Client VPN CA - G1

- Do you may have umlauts (ä, ö, ü or anything else non-7bit-ASCII) in any part of the certificate Subject? If yes, change and just use 7-bit ASCII.
- Is the validity of the Issuer Root CA longer (starts before and ends after) then of the individual user certificates?
- Is the 'Certificate Type' set to 'User Certificate' for the VPN user certificate?

[jensl]

hey
just found time to create an new ca completty free of any underscores and stuff - it seems like this worked (had some strange bugs before getting there bc it seems that he confused an old vpn with the new one and didnt allowed me to download the right certs at the start)

i will have a deeper look into the rest but thank you for all the help!