OpenVPN: cannot load CA certificate file

[claasgo]

Describe the bug
After Upgrading my HA-Setup Slave from 18.7.4_1 to 19.7.4, my OpenVPN services can't start with the Message:
Cannot load CA certificate file /var/etc/openvpn/server9.ca (only 1 of 2 entries were valid X509 names)

I've got multiple VPN Instances and each one has the same failure.
Master is still on 18.7.4_1.

Expected behavior
a running ovpn service

Relevant log files
Sep 25 20:49:46 openvpn[32795]: Exiting due to fatal error Sep 25 20:49:46 openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (only 1 of 2 entries were valid X509 names) Sep 25 20:49:46 openvpn[32795]: Cannot load CA certificate file /var/etc/openvpn/server9.ca (entry 2 did not validate) Sep 25 20:49:46 openvpn[32795]: OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table Sep 25 20:49:46 openvpn[32795]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sep 25 20:49:46 openvpn[32795]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want Sep 25 20:49:46 openvpn[31712]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10 Sep 25 20:49:46 openvpn[31712]: OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 10 2019

Additional context
I took a closer look to the CA Files (/var/etc/openvpn/*) and I'm wondering that each CA file as two, 100% identical certs included in one file. I compared that with my Master Node which only has one cert in each CA file.

For example (content modified for privacy reasons):

`# cat /var/etc/openvpn/server9.ca

-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIBADANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCREUx
DzANBgNVBAgMBkJyZW1lbjEPMA0GA1UEBwwGQnJlbWVuMR4wHAYDVQQKDBVDT05U
QUNUIFNvZnR3YXJlIEdtYkgxITAfBgkqhkiG9w0BCQEWEnNlcnZpY2VAY29udGFj
dC5kZTEXMBUGA1UEAwwOY29udGFjdC12cG4tY2EwHhcNMTgwMzA5MTE1MzI5WhcN
MjgwMzA2MTE1MzI5WjCBizELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJyZW1lbjEP
MA0GA1UEBwwGQnJlbWVuMR4wHAYDVQQKDBVDT05UQUNUIFNvZnR3YXJlIEdtYkgx
ITAfBgkqhkiG9w0BCQEWEnNlcnZpY2VAY29udGFjdC5kZTEXMBUGA1UEAwwOY29u
dGFjdC12cG4tY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJTyB
MKPOvUuLXeWQ24H7GZZSyOTfiwvw6orhwGhXsnrHvZcJ8paZc7zjHxICL2uxBLtJ
l265mxiaJu9wwDP9Wn772RpmHKFYAu1uqmb550RkH73UCEZ8pgDHgxpLdkyGDdj7
zMB0OVz+Yjd0aQr0/KM0GSey/aR1tL4ajsY7YSFvgSuJB9oJ5ty2CMfaMqZTvJrr
79C/m5YtMC6/QM8wzcQ9Imdf+sesdPLI49xC/torb5z4gZo6a6OqP3shV8pkXEqS
7gy72IahaErbUEUMDiv0Esv7gxnTvTvXwJ/WZfa2tW+ToXsjEOvN8FXG+Y2zI/uF
63bUZrhFQ0lxdOIFAgMBAAGjUDBOMB0GA1UdDgQWBBQlcyVHJRJTeDe3MoUHGXZz
y6ldVDAfBgNVHSMEGDAWgBQlcyVHJRJTeDe3MoUHGXZzy6ldVDAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDnk1oxq+qK5F2+Wz19thPn6m2akWCdCin
IXTJI5Y2HrGLZddCR9jbIMj6Fli6UutO0Q0iadn4aEIA1lN77bxn5h66/canlNP7
tUrUpPim65FkvSHpVCkjYO47QxoaYJNESU9gLMtpPAsUxnJX1zPT4IaO6V76dmxG
4azjHNs+rmjMk19QOZdv1XrQ+FV5fkQcg+4KWxCO4z193npQhus8GV3VxutZvKnv
Qa6S2TlJFYuKnJdSCbqjguIYMoZEgX6Ja8/lzZ3ZwSfVgvLMZ+AWSAxYzBVUl1pq
bHAG0CeJ9jFmg2JL5XvtyW1JMWTeFR7UUfR/RCbxf7GMuFYjVe
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIBADANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCREUx
DzANBgNVBAgMBkJyZW1lbjEPMA0GA1UEBwwGQnJlbWVuMR4wHAYDVQQKDBVDT05U
QUNUIFNvZnR3YXJlIEdtYkgxITAfBgkqhkiG9w0BCQEWEnNlcnZpY2VAY29udGFj
dC5kZTEXMBUGA1UEAwwOY29udGFjdC12cG4tY2EwHhcNMTgwMzA5MTE1MzI5WhcN
MjgwMzA2MTE1MzI5WjCBizELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJyZW1lbjEP
MA0GA1UEBwwGQnJlbWVuMR4wHAYDVQQKDBVDT05UQUNUIFNvZnR3YXJlIEdtYkgx
ITAfBgkqhkiG9w0BCQEWEnNlcnZpY2VAY29udGFjdC5kZTEXMBUGA1UEAwwOY29u
dGFjdC12cG4tY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJTyB
MKPOvUuLXeWQ24H7GZZSyOTfiwvw6orhwGhXsnrHvZcJ8paZc7zjHxICL2uxBLtJ
l265mxiaJu9wwDP9Wn772RpmHKFYAu1uqmb550RkH73UCEZ8pgDHgxpLdkyGDdj7
zMB0OVz+Yjd0aQr0/KM0GSey/aR1tL4ajsY7YSFvgSuJB9oJ5ty2CMfaMqZTvJrr
79C/m5YtMC6/QM8wzcQ9Imdf+sesdPLI49xC/torb5z4gZo6a6OqP3shV8pkXEqS
7gy72IahaErbUEUMDiv0Esv7gxnTvTvXwJ/WZfa2tW+ToXsjEOvN8FXG+Y2zI/uF
63bUZrhFQ0lxdOIFAgMBAAGjUDBOMB0GA1UdDgQWBBQlcyVHJRJTeDe3MoUHGXZz
y6ldVDAfBgNVHSMEGDAWgBQlcyVHJRJTeDe3MoUHGXZzy6ldVDAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDnk1oxq+qK5F2+Wz19thPn6m2akWCdCin
IXTJI5Y2HrGLZddCR9jbIMj6Fli6UutO0Q0iadn4aEIA1lN77bxn5h66/canlNP7
tUrUpPim65FkvSHpVCkjYO47QxoaYJNESU9gLMtpPAsUxnJX1zPT4IaO6V76dmxG
4azjHNs+rmjMk19QOZdv1XrQ+FV5fkQcg+4KWxCO4z193npQhus8GV3VxutZvKnv
Qa6S2TlJFYuKnJdSCbqjguIYMoZEgX6Ja8/lzZ3ZwSfVgvLMZ+AWSAxYzBVUl1pq
bHAG0CeJ9jFmg2JL5XvtyW1JMWTeFR7UUfR/RCbxf7GMuFYjVe
-----END CERTIFICATE-----

For testing purposes I deleted the duplicate part in each CA File but as soon as I start the VPN Service, all files contains again a douple cert. Even if I completly delete a CA file and start the service: a new CA file will be created with a douple cert included.

Environment
OPNsense 19.7.4 (amd64, OpenSSL).

[fichtner]

Since it's OpenSSL itself and not LibreSSL that could be problematic... Did you report this to OpenVPN yet? It's their binary that complains about it.

[claasgo]

No I did not report that to openvpn. Was hopeing to get help here ;-)

[claasgo]

Okay - looks like an OpenVPN bug. I reverted my VM back to 18.7.x and upgraded to 19.1.4 and as soon as OpenVPN 2.4.7 is used - the cert's are corrupted.

Thank you - I close this issue now.

[eburghar]

I don't think it's an openvpn bug as it only reads the configuration files provisioned by opnsense. If certs are duplicated in files, how can it be the fault of openvpn ?