Error Parsing CA Cert: X509-CRT/CRL/CSR Has Unsupported Version Number

[alteredstate]

Hello Everyone,

I was attempting to setup OpenVPN Connect (OpenVPN 1.2.9 build 0 (iOS 64-bit)) on my iPad (iOS 11.2.6) but I'm receiving this error after downloading the *.ovpn file from pfSense and installing it in OpenVPN Connect:

Code: Select all

EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]

I've been able to download the *.ovpn file and get it to work with my Android in the past so I know it works. Also, OpenVPN Connect does not appear to try and connect to my OpenVPN Server before throwing this error but my OpenVPN Server version on pfSense is: OpenVPN 2.4.4 amd64-portbld-freebsd11.1. Anyone have an idea of how I could correct this issue?

[alteredstate]

Anyone have an idea as to what is causing this error?

[TinCanTech]

I'm receiving this error after downloading the *.ovpn file from pfSense and installing it in OpenVPN Connect:

Code: Select all

EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]

You need to know how pfSense created the certificate.

[alteredstate]

I'm receiving this error after downloading the *.ovpn file from pfSense and installing it in OpenVPN Connect:

Code: Select all

EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]

You need to know how pfSense created the certificate.

Do you know where I would find this information at? I created the certificate through the webgui...and in the past it has worked just fine.

[TinCanTech]

Do you know where I would find this information at?

Perhaps the pfSense manual or forum ..

X509 - CRT/CRL/CSR has an unsupported version number [ERR]

This is what a valid certificate looks like:

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e9:5a:70:40:5c:a2:ef:0a:e2:09:54:3d:81:12:33:a2
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Apr  2 19:13:23 2018 GMT
            Not After : Mar 30 19:13:23 2028 GMT

Version number 3 seems to be valid .. what version number is yours ?

[alteredstate]

Do you know where I would find this information at?

Perhaps the pfSense manual or forum ..

X509 - CRT/CRL/CSR has an unsupported version number [ERR]

This is what a valid certificate looks like:

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e9:5a:70:40:5c:a2:ef:0a:e2:09:54:3d:81:12:33:a2
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Apr  2 19:13:23 2018 GMT
            Not After : Mar 30 19:13:23 2028 GMT

Version number 3 seems to be valid .. what version number is yours ?

Forgive my ignorance but exactly what file are you getting that information from for OpenVPN? Here's what I have in /etc/openvpn on my pfSense box:

Code: Select all

[2.4.2-RELEASE][root@pfSense]/var/etc/openvpn:
client1.ca
client1.cert
client1.conf
client1.interface
client1.key
client1.sock
client1.tls-auth
server2.ca
server2.cert
server2.conf
server2.interface
server2.key
server2.sock
server2.tls-auth

I also tried:

Code: Select all

openssl pkcs12 -info -in ~/Downloads/OpenVPN+User+Cert.p12

I downloaded the: OpenVPN+User+Cert.p12 file from the pfSense OpenVPN Client Export section but neither that or the previous list of files showed anything about version information like in your example.

[TinCanTech]

what file are you getting that information from

a .cert file should have the same info ..

[alteredstate]

what file are you getting that information from

a .cert file should have the same info ..

Code: Select all

[2.4.2-RELEASE][root@pfSense]/var/etc/openvpn: find / -name "*.cert"
/var/etc/openvpn/server2.cert
/var/etc/openvpn/client1.cert

Those were the files I previously mentioned that did not contain any version information.

Code: Select all

[2.4.2-RELEASE][root@pfSense]/var/etc/openvpn: find / -name "*.crt"
/usr/local/share/certs/ca-root-nss.crt
/var/etc/cert.crt

ca-root.nss.crt is just the default bundle of X.509 certificates and cert.crt has no version information. I suppose I should take this issue to the pfSense forum. Thank you for the help though!

[TinCanTech]

You can always try opening the cert on the client that uses it ..

[alteredstate]

You can always try opening the cert on the client that uses it ..

These are all the OpenVPN client files you can download from the Client Export Utility (minus the Windows *.exe install files). The Client Export Utility is an installable package from the pfSense repository. I've been able to use one of these files and install it on my OpenVPN client to get it to work in the past. None of the files contain anything regarding version information.

Code: Select all

marcus@macbookpro:~/Downloads$ tree ./OpenVPN\ User/
./OpenVPN User/
├── pfSense-UDP4-1194-marcus
│   ├── pfSense-UDP4-1194-marcus.ovpn
│   ├── pfSense-UDP4-1194-marcus.p12
│   └── pfSense-UDP4-1194-marcus-tls.key
├── pfSense-UDP4-1194-marcus-android-config.ovpn
├── pfSense-UDP4-1194-marcus-config.ovpn
├── pfSense-UDP4-1194-marcus-ios-config.ovpn
├── pfSense-UDP4-1194-marcus-viscosity-config.ovpn
└── Viscosity.visc
    ├── ca.crt
    ├── cert.crt
    ├── config.conf
    ├── key.key
    └── ta.key