Server cert wrong type, new openvpn clients cannot connect.

[nblom]

openvpn fails to connect to self signed server certificate.

to fix, re issue the server cert like this:

Create a new csr for your server key openssl req -new -key /usr/local/etc/openvpn/openvpn-server.key -text -out /usr/local/etc/openvpn/openvpn-server.csr

Move your existing server certificate, in case something goes wrong you can rollback: mv /usr/local/etc/openvpn/openvpn-server.crt /usr/local/etc/openvpn/openvpn-server-org.crt

Change working directory cd /usr/local/www/apache24/data/

Create a new server cert based on the new csr, with the correct extensions. You use the password for the CA/site when asked. openssl ca -config openssl.cnf -in /usr/local/etc/openvpn/openvpn-server.csr -out /usr/local/etc/openvpn/openvpn-server.crt -extensions server

Verify that the server cert has Netscape Cert Type: SSL Server, and X509v3 Extended Key Usage: TLS Web Server Authentication openssl x509 -in /usr/local/etc/openvpn/openvpn-server.crt -text -noout

Just restart openvpn after new cert. /usr/local/etc/rc.d/openvpn restart

[nblom]

might need a "echo -n 25 > serial" in /usr/local/www/apache24/data/ 99 is the last serialnumber on an issued cert, if your issued folder has more than 25, increase the number

You would have gotten 34379279064:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('.//serial','r') as an error if no serial file exist.