OpenVPN: ca certificate shall include ancestors if not self-singed #1487
Comments
|
timeout due to inactivity |
|
Actually still an issue. Did anyone ever try to use OpenVPN with TLS-Auth using a non-self-sigened root CA? |
|
Yes, it's still an issue with 19.1 (see https://forum.opnsense.org/index.php?topic=11601.0). |
|
@AdSchellevis can you please reopen the issue? |
|
@wschlich are you planning to work on it? |
|
@AdSchellevis At least from a user perspective, yes :-) |
|
Not a lot of people seem to be using this construction, hence the time out last time. I'll reopen this for now, but without people digging into the use case and related code, it's likely this will be closed again. |
|
From what I've seen, @8191 was absolutely right regarding his findings. I've written mine down at https://forum.opnsense.org/index.php?topic=11601.0 -- basically OPNsense does not add the full CA certificate chain to |
|
The bug is in core/src/etc/inc/plugins.inc.d/openvpn.inc Line 895 in d27cc83 |
|
but that would suggest it doesn't work for self-signed certificates either, let me take a quick peek. |
|
@AdSchellevis nope, works fine for self-signed Root CA certificates because the CA chain is completed already by adding just the Root CA certificate. |
|
does OPNsense know the path for your intermediate CA? |
|
@AdSchellevis yes, it does, as it consists solely of CA certificates that are managed by the OPNsense CA manager :-) |
|
ok, one moment. |
|
Thank you! |
|
@AdSchellevis for 19.1.2? |
|
@fichtner yes please :) |
(cherry picked from commit 67f4948)
|
@AdSchellevis , @fichtner you guys rock! 🥇 |
|
@AdSchellevis My OPNsense firewall reported an issue in /usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php, line 205 (function accountsActivation). Is it maybe related to your patch? That function is working with 'caref' as well... |
|
@wschlich it can't be related, new style mvc code has no relation with the legacy code base. Can you open a new issue with the the full error? |
I see :-)
Hmm, I submitted the issue via the web GUI crash reporting function. Did that already open up an issue somewhere? |
|
sorry, we don't read those on a very regular bases, better to open a ticket describing steps to reproduce and data here. |
|
I see... :/ actually I have no idea how this error occurred. If it happens again, I'll open a github issue then. |
|
ok, thanks |
It seems that OpenVPN refuses to verify user certificates if it does not know all its ancestors. I.e. if the CA configured as "Peer Certificate Authority" in the OpenVPN Server UI is not self-signed, OpenVPN refuses to verify user certificates (even if signed directly by the Peer Certificate Authority) with the error
VERIFY ERROR: depth=1, error=unable to get issuer certificate: Peer Certificate Authority.A solution to this would be to add all ancestors of Peer Certificate Authority to the ca file (
/var/etc/openvpn/serverx.ca) if the CA is a sub-ca (i.e. not self-signed).See also: https://forum.opnsense.org/index.php?topic=4830.0
The text was updated successfully, but these errors were encountered: