Similarly to 'curl', 'python-requests' or 'wget', it would be nice if openvpn respected ca-bundle on Fedora (and RHEL eventually). This is not yet implemented upstream, so I tried to submit patch [1], but other proposed solution would be welcome, too. [1] https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13878.html
This is a VERY BAD idea. OpenVPN should NOT use or depend on any public CA instances. This actually reduces the authentication level to a bare minimum. Mounting a MITM attack would then be extremely simple: Configure a new server using a Lets Encrypt issued certificate, redirect all OpenVPN detected traffic on your network to this new server and you've won. This would be a dreamscenario for The Great Firewall of China and other national routing points implementing complete network surveillance. OpenVPN should ALWAYS be configured using non-public/private CA instances, as that makes much harder to trick clients into connecting to the wrong server. I'm closing this one, as this will not be considered for upstream inclusion. I am speaking on behalf as an upstream OpenVPN community developer and OpenVPN Technologies, Inc employee.