I have been running OpenVPN with self-signed certificates without a problem. In the name of science, I had to go and break something that has been working just fine.

Actually, in the interest of properly joining the Private Key Infrastructure (PKI), I obtained a signed SSL certificate from Comodo's RapidSSL CA. (Namecheap offered them for free when I transferred domains to them, so it was a why not moment.) Getting the certificate was quite a task in of itself, but that is another story altogether. After installing the certificate in Apache, which was the primary goal, I noticed that OpenVPN also uses x509 certificates, and the wheel in my head started turning.

"It should be a simple drop in affair," or so I thought at first as I copied the SSL certificate, private key and CA certificate in place.

First, because the SSL certificate exists for one host at a time, I had to choose between either buying a SSL certificate for each of the hosts, or have clients authenticate through method other than certificates. I chose the latter and ended up with these configuration files:

Server:

port 1194
proto udp
dev tun
ca ca.crt
cert ssl.crt
key ssl.key # This file should be kept secret
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Client:

client
dev tun
dev-node OpenVPN
proto udp
remote vpn.server.tld 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
comp-lzo
verb 3

Attempts at connection returns the error:

SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Research turns up that the certificate can not be verified to a root CA. OpenVPN does not use the operating system's built-in root certificate store. It relies only on OpenSSL and provided CA certificates to verify the SSL certificates. The equivalent command is:

openssl verify -CAfile ca.crt ssl.crt

Armed with this command, I set out to find the missing link. Comodo's provided CA bundle contains two certificates. The first one Positive CA certificate issued by UTN-USERFirst-Hardware, and the UTN-USERFirst-Hardware certificate issued by AddTrust External CA Root. A search on these names led me to this page. With some trial and error, I found by replacing the UTN-USERFirst-Hardware certificate in the CA-bundle with the downloaded UTN-USERFirst-Hardware certificate can pass the OpenSSL verification.

After distributing this new CA bundle to the clients, they are able to connect!