After upgrading our OpenVPN server from Debian Buster to Bookworm, which also upgraded OpenVPN from 2.4.7 to 2.6.3, we're now getting this when any client tries to connect:
error=CA signature digest algorithm too weak
I've searched for this error and have found the usual work-arounds, like adding tls-cipher "DEFAULT:@SECLEVEL=0"
to the config (we're doing that in the interim, but downgrading security isn't a permanent fix). Additional Googling seems to consistently indicate using an outdated algorithm to generate the certs (like MD5 or SHA1), but that doesn't seem to be the case here. When I look at our CA, Server, and Client certs, they all contain this:
Signature Algorithm: sha256WithRSAEncryption
It looks like we're already using SHA256 and our certificates are good. So I'm super confused by this error and not sure where to go from here. I know that I could probably just generate new certs (we have dozens of client endpoints that connect, so not ideal). Also, that wouldn't tell me what the underlying actual issue is.
This is a pretty stock Debian system with OpenSSL 3.0.13 installed.