Hello rpr,
The root cause is the valid signed certificates being loaded into the Access Server's SSL web certs fallback directory.
Access Server maintains a CA and server web certificate in the web-ssl directory. This is done so that Access Server has a fallback in case there are no valid certificates in Access Server's configuration database. It also as of version 2.9 will try to regenerate these automatically to meet stricter requirements. However in your case that fails and Access Server stops because the CA key is missing.
For some reason your ca.key file was deleted. Most likely what happened is that you removed these files at some point and then instead put your own validated signed certificates in this directory. Apparently you don't have any web certs in your configuration database so Access Server thinks it has no valid certificates, so it goes to the fallback, and that one happens to now be your signed certificates. But it is unable to do its programmed actions to ensure those certs are updated to current security standards for self-signed certificates.
I am making the assumption that the files now in the web-ssl directory are signed certificate, because you have TERENA SSL CA 3 in there, which is likely a valid party for providing signed certificates. So they shouldn't be regenerated anyways. They're just in the wrong place, basically.
To solve this properly there are 3 steps that you should do.
1: Backup.
2: Load these certificates into the Access Server configuration database.
3: Regenerate the self-signed certificates for Access Server.
Step 1:
Before you do anything though, make a backup. This guide shows how to backup the configuration of Access Server:
https://openvpn.net/vpn-server-resource ... figuration
Step 2:
Now with that backed up, I suggest you run these following commands to load your signed certificates into the Access Server database. This will load those files into the Access Server configuration database, and the web services should use those the next time Access Server tries to start up.
cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.priv_key" --value_file "../etc/web-ssl/server.key" ConfigPut
./sacli --key "cs.cert" --value_file "../etc/web-ssl/server.crt" ConfigPut
./sacli --key "cs.ca_bundle" --value_file "../etc/web-ssl/ca.crt" ConfigPut
Step 3:
Now to restore the fallback certificates to normal, I recommend you first backup the files in web-ssl. Once you've done that, run these commands:
cd /usr/local/openvpn_as/etc/web-ssl/
rm server.key
rm server.crt
rm ca.crt
cd /usr/local/openvpn_as/scripts/
./certool -d ../etc/web-ssl --type ca --unique --cn "OpenVPN Web CA"
./certool -d ../etc/web-ssl --type server --remove_csr --sn_off --serial 1 --name server --cn "openvpnas"
You can replace "openvpnas" with a FQDN name of your server, but it's not really relevant. Whenever Access Server starts up, and it has no SSL certificates in its configuration database, it will use the fallback certificates. If it sees those do not have a CN that matches the current hostname setting in Access Server, it will regenerate those automatically for you. The only thing you were missing for this to work was the ca.key file, which with the above commands should be regenerated fine.
Now restart the Access Server service with "service openvpnas restart" and things should be operating correctly again.
Kind regards,
Johan
OpenVPN Inc.