Core: OpenVPN: ca certificate shall include ancestors if not self-singed

timeout due to inactivity

Actually still an issue. Did anyone ever try to use OpenVPN with TLS-Auth using a non-self-sigened root CA?

Yes, it's still an issue with 19.1 (see https://forum.opnsense.org/index.php?topic=11601.0).

@AdSchellevis can you please reopen the issue?

@wschlich are you planning to work on it?

@AdSchellevis At least from a user perspective, yes :-)

Not a lot of people seem to be using this construction, hence the time out last time. I'll reopen this for now, but without people digging into the use case and related code, it's likely this will be closed again.

From what I've seen, @8191 was absolutely right regarding his findings. I've written mine down at https://forum.opnsense.org/index.php?topic=11601.0 -- basically OPNsense does not add the full CA certificate chain to /var/etc/openvpn/serverX.ca when the Peer Certificate Authority is not a self-signed, but an intermediate CA (signed by a Root CA which is managed by OPNsense as well).
I guess there's already code in OPNsense to do a full resolution of a chain of CA certificates? If yes, the fix should be easy.

The bug is in /usr/local/etc/inc/plugins.inc.d/openvpn.inc in lines 895+896 (on 19.1.1):
$ca = lookup_ca($settings['caref']);
openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca");
Simply no full CA chain resolution code there.

https://github.com/opnsense/core/blob/d27cc8364252309c8e701bb805fbd8545f53ab50/src/etc/inc/plugins.inc.d/openvpn.inc#L895

but that would suggest it doesn't work for self-signed certificates either, let me take a quick peek.

@AdSchellevis nope, works fine for self-signed Root CA certificates because the CA chain is completed already by adding just the Root CA certificate.

does OPNsense know the path for your intermediate CA?

@AdSchellevis yes, it does, as it consists solely of CA certificates that are managed by the OPNsense CA manager :-)
There's currently simply no code in place to actually try a CA chain resolution. The chosen Peer Certificate Authority is simply copied 1:1 :(

ok, one moment.

@wschlich can you try https://github.com/opnsense/core/commit/67f49486708770633ca615ee41f53439e0a962ce ?

From your console, you should be able to install using:

opnsense-patch 67f4948

@wschlich can you try 67f4948 ?

works flawlessly now (removed the workaround before having the openvpn instance config regenerated using the web UI), awesome! thank you :-) :+1:

Thank you!

@AdSchellevis for 19.1.2?

@fichtner yes please :)

@AdSchellevis , @fichtner you guys rock! :1st_place_medal:

@AdSchellevis My OPNsense firewall reported an issue in /usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php, line 205 (function accountsActivation). Is it maybe related to your patch? That function is working with 'caref' as well...

@wschlich it can't be related, new style mvc code has no relation with the legacy code base.

Can you open a new issue with the the full error?

@wschlich it can't be related, new style mvc code has no relation with the legacy code base.

I see :-)

Can you open a new issue with the the full error?

Hmm, I submitted the issue via the web GUI crash reporting function. Did that already open up an issue somewhere?

sorry, we don't read those on a very regular bases, better to open a ticket describing steps to reproduce and data here.

I see... :/ actually I have no idea how this error occurred. If it happens again, I'll open a github issue then.

ok, thanks