OpenVPN cannot load CA after Upgrade to 19.7.4

Started by c-mu, September 26, 2019, 08:30:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 26, 2019, 08:30:05 AM
Hi,
yesterday I have upgraded my slave node of my production HA Setup from 18.7.10_4. My master is still on 18.7.10_4. The OpenVPN and IPsec Site2Site tunnels are working but all my OpenVPN Server Services for Road Warriors won't start with the following error:

Code Select
Sep 25 20:49:46 openvpn[32795]: Exiting due to fatal error
Sep 25 20:49:46 openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (only 1 of 2 entries were valid X509 names)
Sep 25 20:49:46 openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (entry 2 did not validate)
Sep 25 20:49:46 openvpn[32795]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
Sep 25 20:49:46 openvpn[32795]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 25 20:49:46 openvpn[32795]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Sep 25 20:49:46 openvpn[31712]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Sep 25 20:49:46 openvpn[31712]: OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 10 2019

I'm wondering why it was working with 18.x?

Thanks for your time!
September 26, 2019, 01:19:56 PM #1
I checked my CA Certificate with a SSL Decoder and everything looks fine  :o
September 26, 2019, 02:48:49 PM #2
I tried to delete all Cert's and restore them from my backup, with no luck :/
September 26, 2019, 02:52:17 PM #3
Do you have some special characters in cert names?

"only 1 of 2 entries were valid X509 names"
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
September 26, 2019, 03:33:26 PM #4
Nope, no special characters, it's callend "company-vpn-cert" so the only "special" char's are the -
September 27, 2019, 10:38:50 AM #5
I took a closer look to the server.ca files. What I see is, that each CA File contains two 100% identical certificate parts. Is that realy correct?

To verify that, I copied each part in seperate files and run a diff command about those. For further testing, I deleted one of the Cert Part but as soon as I start the VPN service, the file again has two identical certs.

And while I'm writing this, a took a look at my master Server and e voilĂ : It only has one cert Part included.

Look's like a bug?!
September 27, 2019, 11:31:01 AM #6
I created a bug report here:
https://github.com/opnsense/core/issues/3729
Print
Go Up Pages1
User actions