From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 15 Jan 2026 17:33:05 +0000 (+0100)
Subject: ovpnmain.cgi: No longer include the CA in the client configuration
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da2448190e4b27d0cfeb97306a96fc8ad0ae50e7;p=ipfire-2.x.git

ovpnmain.cgi: No longer include the CA in the client configuration

NetworkManager complains that it cannot use <ca>...</ca> when
<pkcs12>...</pkcs12> is being used as well. This makes somehwat sense as
the PKCS12 container also contains the CA certificate.

Therefore we are removing the <ca>...</ca> block for all clients as they
must all be able to read the PKCS12 container.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index dd4f98246..e53bd6e28 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2479,16 +2479,6 @@ END
 			print "providers legacy default\n";
 		}
 
-		# CA
-		open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
-		print "\n<ca>\n";
-		while (<FILE>) {
-			chomp($_);
-			print "$_\n";
-		}
-		print "</ca>\n";
-		close(FILE);
-
 		# PKCS12
 		open(FILE, "<${General::swroot}/ovpn/certs/${name}.p12");
 		print "\n<pkcs12>\n";