[SOLVED] OPNsense 19.1: OpenVPN and intermediate CA doesn't work

[wschlich]

Hi!

I have created the following setup:

1. Created "Root CA" using the OPNsense trust manager
2. Created "Server CA" as intermediate of Root CA using the OPNsense trust manager
3. Created "VPN CA" as intermediate of Root CA using the OPNsense trust manager
4. Generated a server certificate "Server Cert" signed by "Server CA" using the OPNsense trust manager
5. Created an OpenVPN server using the wizard with the following settings:
5.1. Server Certificate: "Server Cert"
5.2. Peer Certificate Authority: "VPN CA"
5.3. Certificate Depth: "Do Not Check"
5.4. Strict User/CN Matching: (x)
6. Created a user "vpnuser" with a client certificate issued by "VPN CA"
7. Created an OpenVPN client export for the "vpnuser"

Then, I when I try to connect from the client, the server complains that it cannot verify an issuer certificate:

Code: [Select]

Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS handshake failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS object -> incoming plaintext read error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS_ERROR: BIO read tls_read_plaintext error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=xx, ST=xxx, L=xxx, O=xxx, emailAddress=xxx, CN=VPN CA

The strange workaround, according to two other existing threads in this forum (https://forum.opnsense.org/index.php?topic=9888.0 and https://forum.opnsense.org/index.php?topic=4830.0), is to manually append the "Root CA" certificate data at the end of the "VPN CA" certificate data in the OPNsense trust manager.

That should not be required! OPNsense should configure OpenVPN to use the entire local CA certificate chain.

Cheers,
Wolfram

[newsense]

You actually need the RootCA imported on the client - if Windows then certmgr.msc - Machine - Personal store

[wschlich]

I'm talking about *server* log/error messages, not *client* ones.
The server complains that it cannot verify the client certificate.

[newsense]

Sadly I don't have two running instances to test, but I'd really appreciate if you could show me the error logs after you add the root CA as I mentioned earlier.

[wschlich]

It's unchanged, obviously.

[wschlich]

The openvpn server process is using a single CA (namely the "VPN CA"), not the full local CA chain:

Code: [Select]

[root@opnsense ~]# ps auxwwf | grep [o]penvpn
root    28509   0.0  0.2 1062000  7576  -  Ss   07:04       0:00.09 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
[root@opnsense ~]# grep '^ca' /var/etc/openvpn/server1.conf
ca /var/etc/openvpn/server1.ca
[root@opnsense ~]# grep 'BEGIN CERTIFICATE' /var/etc/openvpn/server1.ca | wc -l
       2
[root@opnsense ~]# /usr/local/bin/openssl x509 -in /var/etc/openvpn/server1.ca -noout -subject
subject= /C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=xxx/CN=VPN CA
[root@opnsense ~]#

I consider this a (very annoying) bug in OPNsense, as the OpenVPN configuration logic should be intelligent enough to resolve the full local CA chain.

[newsense]

In VPN-Servers what's the certificate depth ?

[wschlich]

See my initial posting

[newsense]

Well that's why it doesn't make any sense, you have Do Not Check however the workarounds suggesting to add the root CA to the intermediary is aking to option Two - which I would have chosen for this setup...

Otherwise with DNC it surely looks like you're attempting to establish a connection using digital certificates by explicitly rejecting any validation of said certificates o_0

[wschlich]

@newsense You don't seem to understand the basics here and I don't have the time and energy to explain (sorry about that). I'd recommend to read the documentation about the Certificate Depth option (or the OpenVPN --tls-verify option).

[wschlich]

Seems there was already a github issue for this problem which should be reopened: https://github.com/opnsense/core/issues/1487

[wschlich]

Whoohoo, fixed by AdSchellevis in https://github.com/opnsense/core/commit/67f49486708770633ca615ee41f53439e0a962ce and scheduled for 19.1.2 by franco