OpenVPN VERIFY ERROR: could not extract CN from X509 subject string

[svenny]

Hi all, I have created 2 different certificate authorities: one for site to site VPN (Site_2_Site_VPN_CA) and one for Road Warrior VPN (Road_Warrior_VPN_CA). The first created authority is the one for site to site VPN. Both VPNs are managed with VPN:OpenVPN:Instances.

Now, if I use a server certificate signed by Road_Warrior_VPN_CA for the Road Warrior VPN and create a user with a certificate also signed by the same CA (Road_Warrior_VPN_CA), I receive the following error when I'm trying to connect the user:

Code Select Expand

2025-01-23 17:19:16 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2025-01-23 17:19:16 UDP link local (bound): [AF_INET][undef]:0
2025-01-23 17:19:16 UDP link remote: [AF_INET]x.x.x.x:1194
2025-01-23 17:19:16 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-01-23 17:19:16 VERIFY ERROR: could not extract CN from X509 subject string ('C=xx, ST=xx, L=xx, O=xx, OU=xx, emailAddress=xx@xx.xx') -- note that the username length is limited to 64 characters
2025-01-23 17:19:16 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2025-01-23 17:19:16 TLS_ERROR: BIO read tls_read_plaintext error
2025-01-23 17:19:16 TLS Error: TLS object -> incoming plaintext read error
2025-01-23 17:19:16 TLS Error: TLS handshake failed
2025-01-23 17:19:16 SIGUSR1[soft,tls-error] received, process restarting

But if I use a server certificate signed by the first CA (Site_2_Site_VPN_CA) and a user with a client certificate also signed by Site_2_Site_VPN_CA, the VPN connects without problems.

I'm using the following version:
 
OPNsense 24.10.1-amd64 - Business Edition
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Thank you in advance.

Regards.