OpenVPN Endtag </tls-auth> missing

[BTC]

Moving from pfsense to opnsense. I'm setting up an OpenVPN client, I have a CA authority, a certificate and a OpenVPN instance static key certificate all set. The log file says:

openvpn_client1   ERROR: Endtag </tls-auth> missing

and

openvpn   /usr/local/opnsense/scripts/openvpn/ovpn_service_control.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/instance-67a2c720-6e79-4c48-bc2b-dae500ae7b09.conf'' returned exit code '1', the output was ''

If I SSH in and check instance-67a2c720-6e79-4c48-bc2b-dae500ae7b09.conf the end of the file (Certs edited for brevity)
...
xxxnEax8=
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
MIIFxxxMEQ==
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
13ecxxx09fe
-----END OpenVPN Static key V1-----
</ca>
root@OPNsense:~ #

So it looks like something is replacing what should be </tls-auth> with a second </ca>- if I edit it by hand as soon as I retry the connection it is once again replaced with a second </ca> - is OpenVPN config broken? I don't even know where to begin looking to resolve. I have tried editing the static key certificate in opnsense to include <tls-auth> and </tls-auth> but it makes no difference.

If I edit it back to </tls-auth> by hand, then run "/usr/local/sbin/openvpn --config '/var/etc/openvpn/instance-67a2c720-6e79-4c48-bc2b-dae500ae7b09.conf'" myself in SSH, and then in opnsense check the connection status it says "wait" and the log file gives me other errors, so I'm sure I have further issues to work out once this is fixed, but I can't figure out where </tls-auth> is being replaced by </ca>


Any ideas, you super smart folk? Thanks!