I’m running into a problem regarding certificates for VyOS 1.4. The problem arises when having a CA certificate file with multiple certificates in it that I want to use in my OpenVPN configuration.
In VyOS I’m using OpenVPN and in VyOS 1.3 we can supply the CA certificates as a file path (ca.crt, for example), however, in VyOS 1.4 introduced PKI, where you have to import each certificate separately. Now I’m able to import all the certificates/keys, but how am I supposed to use this with OpenVPN?
In VyOS 1.3 you could do: set interfaces openvpn vtun1 tls ca-cert-file /config/auth/openvpn/ca.crt
In VyOS 1.4 you have to do:
set pki ca ca-crt1 certificate xyz
set pki ca ca-crt2 certificate xyz
set pki ca ca-crt3 certificate xyz
set interfaces openvpn vtun1 tls ca-certificate 'ca-crt1'
However, “ca-crt1” points to a single certificate instead of a list of certificates, so this is incorrect I believe. Looking at the final OpenVPN .conf file seems to confirm this, since the .conf contains a line “ca /run/openvpn/vtun1_ca.pem” which has only a single certificate. In the working OpenVPN configuration, the “ca” line would point to a file which has all CA certificates in it.
Can someone explain to me how to correctly use this functionality in VyOS 1.4, the documentation does not cover this use case AFAICT. Please correct me if I’m wrong.
Did you try:
Store your certs like in the old days, and use openvpn-option to get whatever you want in .conf file
set interfaces openvpn vtun10 openvpn-option ‘line here’
Seems I’ve run into the same issue, but with EAPoL rather than openvpn. Presently waiting for my Phabricator account to get approved so I can submit the bug report. Need to hold off on the upgrade to 1.4 for a while I guess.
I have found the same problem with site-to-site ipsec certificates, with only one CA cert allowed
set vpn ipsec site-to-site peer any authentication x509 ca-certificate cert1
However I have found a workaround if needed, please PM me