Arch Linux

I am unable to connect to my openvpn server on a new box (client and server both run Arch x86_64). I believe that OpenVPN is rejecting a self-signed CA signature now whereas it did not in the past. Around November of 2016 when we were on openssl-1.0.2j, I did not experience this issue generating my openvpn files under that version. For example, multiple servers I created then still works to this day using the identical procedure to generate the key/certs[1].

Excerpt from openvpn client trying to connect:
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=ease CA
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)

Are there any Arch modification that might explain breakage of self-signed certs? Again, this all worked (tested multiple times on newly spun up servers in the November/2016 time frame).

Additional info:
openssl 1.1.0.f-1
openvpn 2.4.3-1

Attachments:
server.log - the openvpn server log
client.log - the openvpn client log
myserver.conf - the openvpn conf
myclient.conf - a sanitized (my certs have been removed) client conf to give you the skeleton

Steps to reproduce:
1) Install easy-rsa and openvpn.
2) Follow the Easy-RSA wiki page[1] to create a functional openvpn server (create CA and server certs, sign them etc as documented).
3) Create a client.conf from these files (manually or use ovpngen[2].
4) Run openvpn server on the server and attempt to connect using the client.conf you created.

References:
Discussion thread: https://bbs.archlinux.org/viewtopic.php?id=227632

1. https://wiki.archlinux.org/index.php/Easy-RSA
2. https://github.com/graysky2/ovpngen