pfSense and OpenVPN + step-ca: TLS handshake failing (SOLVED)

I actually solved my problem. I never installed the root certificate on my firewall. I only added the intermediate certificate to the Trust Store. I added the root cert and then increased the certificate depth checking to 2 and it worked! I needed to complete the chain of trust.

I have a pfSense Netgate setup, and I’m trying to get OpenVPN to work with my step-ca self-hosted certificate authority. I have hosted the server and issued several certificates to secure my HTTPS traffic. This has worked fine.

I wanted to use pfSense with the same CA, so I imported an intermediate CA cert from my step-ca server, issued a certificate inside pfSense, and was able to secure my web GUI.

I attempted to use this intermediate CA with my OpenVPN, and it failed. I have tried several different ways to troubleshoot the configuration, and nothing seems to work.

I have successfully gotten OpenVPN up and running on my server using a new internal-ca with certificates for the server and user.

I thought it had something to do with common name verification, but on the client export, I selected ‘do not verify the server CN.’ The connection still fails. I turned off certificate depth checking, unchecked client certificate key usage validation, and turned off the TLS key. I thought it had something to do with Alternative Names, so I added my interface IP into the SAN for my OpenVPN server, but that didn’t help either.

I successfully got OpenVPN working with the self-signed CA, but I’d like to know what went wrong. This is more of a learning exercise for how SSL/TLS works.

I looked at my config.opvn file, but I cannot extrapolate much information to guide me on what changes might be needed to my configuration for authentication to work. Smallstep has limited documentation on OpenVPN. I’ve only been able to find this article: Announcing X.509 Certificate Flexibility.

The error in the logs is not very verbose. It just says TLS Error: TLS handshake failed. I tried both in UDP and in TCP, and it still failed.

I increased my log output but don’t know how to interpret the information from the output. It’s just long strings of numbers.

Any suggestions would be appreciated.