Author Topic: OpenVPN cannot load CA after Upgrade to 19.7.4 (Read 3570 times)

c-mu · « **on:** September 26, 2019, 08:30:05 am »

Hi,
yesterday I have upgraded my slave node of my production HA Setup from 18.7.10_4. My master is still on 18.7.10_4. The OpenVPN and IPsec Site2Site tunnels are working but all my OpenVPN Server Services for Road Warriors won't start with the following error:

Code: [Select]

Sep 25 20:49:46 	openvpn[32795]: Exiting due to fatal error
Sep 25 20:49:46 	openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (only 1 of 2 entries were valid X509 names)
Sep 25 20:49:46 	openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (entry 2 did not validate)
Sep 25 20:49:46 	openvpn[32795]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
Sep 25 20:49:46 	openvpn[32795]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 25 20:49:46 	openvpn[32795]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Sep 25 20:49:46 	openvpn[31712]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Sep 25 20:49:46 	openvpn[31712]: OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 10 2019

I'm wondering why it was working with 18.x?

Thanks for your time!

c-mu · « **Reply #1 on:** September 26, 2019, 01:19:56 pm »

I checked my CA Certificate with a SSL Decoder and everything looks fine

c-mu · « **Reply #2 on:** September 26, 2019, 02:48:49 pm »

I tried to delete all Cert's and restore them from my backup, with no luck :/

banym · « **Reply #3 on:** September 26, 2019, 02:52:17 pm »

Do you have some special characters in cert names?

"only 1 of 2 entries were valid X509 names"

c-mu · « **Reply #4 on:** September 26, 2019, 03:33:26 pm »

Nope, no special characters, it's callend "company-vpn-cert" so the only "special" char's are the -

c-mu · « **Reply #5 on:** September 27, 2019, 10:38:50 am »

I took a closer look to the server.ca files. What I see is, that each CA File contains two 100% identical certificate parts. Is that realy correct?

To verify that, I copied each part in seperate files and run a diff command about those. For further testing, I deleted one of the Cert Part but as soon as I start the VPN service, the file again has two identical certs.

And while I'm writing this, a took a look at my master Server and e voilà: It only has one cert Part included.

Look's like a bug?!

c-mu · « **Reply #6 on:** September 27, 2019, 11:31:01 am »

I created a bug report here:
https://github.com/opnsense/core/issues/3729

Author Topic: OpenVPN cannot load CA after Upgrade to 19.7.4 (Read 3570 times)

c-mu

OpenVPN cannot load CA after Upgrade to 19.7.4

c-mu

Re: OpenVPN cannot load CA after Upgrade to 19.7.4

c-mu

Re: OpenVPN cannot load CA after Upgrade to 19.7.4

banym

Re: OpenVPN cannot load CA after Upgrade to 19.7.4

c-mu

Re: OpenVPN cannot load CA after Upgrade to 19.7.4

c-mu

Re: OpenVPN cannot load CA after Upgrade to 19.7.4

c-mu

Re: OpenVPN cannot load CA after Upgrade to 19.7.4