# OpenVPN 2.4.0 on FreeBSD 11 won't load CA file



## coredumb (Mar 23, 2017)

Hi, on my way to get OpenVPN working in full TLS-mode I always see the following log messages with a fatal error:

```
Thu Mar 23 12:13:12 2017 us=189137 OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan  3 2017
Thu Mar 23 12:13:12 2017 us=189297 library versions: OpenSSL 1.0.2k-freebsd  26 Jan 2017, LZO 2.09
Thu Mar 23 12:13:12 2017 us=194280 Diffie-Hellman initialized with 4096 bit key
Thu Mar 23 12:13:12 2017 us=278443 Cannot load CA certificate file /etc/ssl/cert.pem (entry 129 did not validate)
Thu Mar 23 12:13:12 2017 us=289302 Cannot load CA certificate file /etc/ssl/cert.pem (only 171 of 172 entries were valid X509 names)
Thu Mar 23 12:13:12 2017 us=289496 Exiting due to fatal error
```

My setup includes key/cert issued by Let's Encrypt.

The system-wide CA file itself has been updated only recently:


```
lrwxr-xr-x  1 root  wheel  38 18 Mar 02:14 /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
```

On OpenVPN-side my config is this (only the relevant parts here):


```
#ca    /usr/local/share/certs/ca-root-nss.crt
ca     /etc/ssl/cert.pem
cert   /var/lib/acme/live/<hostname>/fullchain
key    /var/lib/acme/live/<hostname>/privkey
dh     /usr/local/etc/openvpn/tls/dh4096.pem
```

The interesting thing is that the very key/cert works just fine in combination with nginx. So my conclusion is that key/cert are okay. That brings me to the remainder, the system-wide root CA file. By the looks it is okay, too. Anyone who can help out or solved this thing entirely? Thanks in advance.


----------



## coredumb (Mar 23, 2017)

No solution yet, but I tried to sort out if the root-CA file was corrupt or otherwise not okay. Log entries are suggesting this. So I sort of rolled the package `ca_root_nss` a few steps back to v3.27.1. Error log entries are now different, but not substantially:


```
Thu Mar 23 23:36:02 2017 us=293913 Diffie-Hellman initialized with 4096 bit key
Thu Mar 23 23:36:02 2017 us=376053 Cannot load CA certificate file /usr/local/share/certs/ca-root-nss.crt (entry 126 did not validate)
Thu Mar 23 23:36:02 2017 us=385970 Cannot load CA certificate file /usr/local/share/certs/ca-root-nss.crt (only 164 of 165 entries were valid X509 names)
Thu Mar 23 23:36:02 2017 us=386060 Exiting due to fatal error
```
The numbers differ, the error remains.


----------



## xtaz (Mar 24, 2017)

I'm curious why you are trying to use Lets Encrypt certificates for OpenVPN. It's generally used with a self-signed CA which you control which is much more secure. The problem with the way that you are trying to do it is that in theory anybody who has a Lets Encrypt client certificate could use your VPN depending on your server configuration. Although I don't think LE sign client certificates anyway do they? So you probably can't even get this far.


----------



## coredumb (Mar 26, 2017)

Hi xtaz,
thanks for your input. I agree with your security considerations reg. the typical role model "site-to-site tunnel" or "multiple clients to tunnel server". My setup in mind is to have multiple IP phones connect to a voip service. These connections shall be transport secured. Some of those phones aren't within my control so that I can not easily put a PSK into it. Most of them should support (most) recent root CA certificates, at least the soft-phones among them. So yeah, that's the setup. In my imagination, this is a good match for an official LE cert on server side.

I am still supprised that OpenVPN doesn't seem to cooperate with official root CA certs though. Or at least with a rather large file containing many concatenated certs.


----------



## pirzyk (Jun 26, 2017)

Hi,

I too just ran into this problem.  The issue is that OpenVPN does not like multiple CAs with the same Subject and in the default ca-root-nss.crt file.  StartCom Ltd. has 2 CA certs (one is SHA1, the other is SHA256):

Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority

If you remove one of them (I removed the SHA1 cert) and then restart OpenVPN it will work.

- JimP


----------



## gariac (Jun 28, 2017)

coredumb said:


> Hi xtaz,
> thanks for your input. I agree with your security considerations reg. the typical role model "site-to-site tunnel" or "multiple clients to tunnel server". My setup in mind is to have multiple IP phones connect to a voip service. These connections shall be transport secured. Some of those phones aren't within my control so that I can not easily put a PSK into it. Most of them should support (most) recent root CA certificates, at least the soft-phones among them. So yeah, that's the setup. In my imagination, this is a good match for an official LE cert on server side.
> 
> I am still supprised that OpenVPN doesn't seem to cooperate with official root CA certs though. Or at least with a rather large file containing many concatenated certs.



Hopefully you are still following this thread. The LetsEncrypt certs have no password associated with them, so what kind of authentication are you using?


----------

