Bug 1630313

Summary: Missing support for --extra-certs
Product: [Fedora] Fedora EPEL Reporter: David Sommerseth <dazo>
Component: NetworkManager-openvpnAssignee: Gwyn Ciesla <gwync>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: choeger, code, dcbw, gwync, lkundrak, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Sommerseth 2018-09-18 11:33:09 UTC 
Description of problem:
OpenVPN since version 2.3 have supported --extra-certs, but the OpenVPN NetworkManager plug-in does not understand this option.  This option points to a file or can be an embedded file a configuration file.

From the man page:

   --extra-certs file
          Specify  a file containing one or more PEM certs (concatenated together) that
          complete the local certificate chain.

          This option is useful for "split" CAs, where the CA for server certs is  dif‐
          ferent  than the CA for client certs.  Putting certs in this file allows them
          to be used to complete the local certificate chain without trusting  them  to
          verify the peer-submitted certificate, as would be the case if the certs were
          placed in the ca file.

One known VPN service provider actively using this feature is Private Tunnel ( https://www.privatetunnel.com/ )
Comment 1 Thomas Haller 2018-09-18 11:46:54 UTC 
Feature added upstream: https://gitlab.gnome.org/GNOME/network-manager-openvpn/commit/3c8d06797dcfdd0111fa228f90741712495180b8

which is present in 1.8.2 or newer.

EPEL is still at 1.2.6