Empty Archive Export for Client(solvedISH)

[nedder77]

I sorta solved this by building a new firewall on new hardware, and then importing the config from the old one, and then exporting from the new one and then using the export to connect to the old one. Works for now, i was planning on replacing the hardware of the old one in the fall but am just gonna move that up to sooner.

So I am having some trouble with my OpenVPN on my OPNSense firewall.

I was on vacation and the certs expired on 12/30/2025 for the server.

I am trying to get it resolved now. I am working on just the AdminVPN at the moment, we have a DUO VPN with the DUO Proxy for regular users, but need this working before I try to get that one fixed.

I have re-issued and replaced the server cert, but when I try to export the client certs, the archive file is empty with nothing in it. I have googled and most results tell me that this is a result of some sort of mismatch between server and client which is why it exports nothing.

Here is what I have for settings(anonymized as best I can) when re-issuing. I have also tried creating a new CA, new server cert, new client cert, new OpenVPN server, and combining them in every possible combination of new and old, all with the same result.

Versions
OPNsense 25.7.10-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18

Description: ServerCertName
Key
Type: Server Certificate
Key Type: RSA-2048
Digest Algorithm: SHA256
Issuer: InternalCA in OpnSense
Lifetime: 397

General
Country Code: United States
State or Province: AA
City: Mine
Organization: MyCompany
OU: blank
Email: nobody@not.here
Common Name: ServerCertName OCSP uri: blank

Alternative Names all blank

Output(PEM format)

All Auto populated from before or when created.

Description: 2027
Key
Type: Client Certificate
Key type: RSA-2048
Digest Algorithm: SHA256
Issuer: InternalCA in OPNSense
Lifetime: 397

General
Country Code: United States
State or Province: AA
City: Mine
Organization: MyCompany
OU: blank
Email: nobody@not.here
Common Name: ServerCertName OCSP uri: blank

Alternative Names all blank

Output(PEM format)

All Auto populated from before or when created.

OpenVPN Server Info
Description: AdminVPN
Server Mode: Remote Access(User Auth)
Backend Authentication: Local Database
Enforce Local group: AdminVPN
Protocol: TCP
Device mode: tun
Interface: Any
Local Port: 587

Cryptographic Settings
TLS Authentication: Enabled Authentication Only
TLS Shared Key: shared key
Peer Certificate Authority: InternalCA in OPNSense
Peer Revocation list: None
Server Certificate: ServerCertName
Encryption Algorithm(deprecated: AES-128-CBC(128 bit key, 128 bit block)
Auth Digest Algorithm: SHA256(256-bit)
Certificate Depth: One(Client+Server)

Tunnel Settings: None of these should matter for this issue
Client settings: none of these should matter for this issue
Advanced Config: All blank

Client Export settings
Remote Access Server: AdminVPN TCP:587
Export Type: Archive
Hostname: our IP address
Port: 587
Use Random local port: TRUE
P12 Password/confirm: blank
Validate Server Subject: TRUE
Windows Certificate System Store: FALSE
Disable Password Save: FALSE
Enable Static Challenge(OTP) FALSE
Custom Config: blank

Then click download on the client certificate 2027 and we get the empty zip file with nothing in it. I can download the ovpn file, but that won't connect me either, just sits and I get a "dco connect error: The semaphore timeout period has expired."