Server cert wrong type, new openvpn clients cannot connect.

[nblom]

openvpn fails to connect to self signed server certificate.

to fix, re issue the server cert like this:

Create a new csr for your server key

openssl req -new -key /usr/local/etc/openvpn/openvpn-server.key -text -out /usr/local/etc/openvpn/openvpn-server.csr


Move your existing server certificate, in case something goes wrong you can rollback:

mv /usr/local/etc/openvpn/openvpn-server.crt /usr/local/etc/openvpn/openvpn-server-org.crt


Change working directory

cd /usr/local/www/apache24/data/


Create a new server cert based on the new csr, with the correct extensions. You use the password for the CA/site when asked.

openssl ca -config openssl.cnf -in /usr/local/etc/openvpn/openvpn-server.csr -out /usr/local/etc/openvpn/openvpn-server.crt -extensions server


Verify that the server cert has Netscape Cert Type: SSL Server, and X509v3 Extended Key Usage: TLS Web Server Authentication

openssl x509 -in /usr/local/etc/openvpn/openvpn-server.crt -text -noout


Just restart openvpn after new cert.

/usr/local/etc/rc.d/openvpn restart


[nblom]

might need a "echo -n 25 > serial" in /usr/local/www/apache24/data/
99 is the last serialnumber on an issued cert, if your issued folder has more than 25, increase the number

You would have gotten
34379279064:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('.//serial','r')
as an error if no serial file exist.