Similarly to 'curl', 'python-requests' or 'wget', it would be nice if openvpn
respected ca-bundle on Fedora (and RHEL eventually). This is not yet
implemented upstream, so I tried to submit patch , but other proposed
solution would be welcome, too.
This is a VERY BAD idea.
OpenVPN should NOT use or depend on any public CA instances. This actually reduces the authentication level to a bare minimum. Mounting a MITM attack would then be extremely simple: Configure a new server using a Lets Encrypt issued certificate, redirect all OpenVPN detected traffic on your network to this new server and you've won.
This would be a dreamscenario for The Great Firewall of China and other national routing points implementing complete network surveillance.
OpenVPN should ALWAYS be configured using non-public/private CA instances, as that makes much harder to trick clients into connecting to the wrong server.
I'm closing this one, as this will not be considered for upstream inclusion. I am speaking on behalf as an upstream OpenVPN community developer and OpenVPN Technologies, Inc employee.