It is me causing the confusion. Sorry.
I wrote a reply which, after thinking about it, had several errors in it on my part so in the end I deleted my post but you had already received the notification.
The section you modified in the ovpnmain.cgi uses the [ server ] section of the ovpn.cnf for the extensions input into the csr generation.
Changing that section to remove the AKID and SKID allowed the host certificate to be created.
However the [ server ] section is also used in the next openssl command in ovpnmain.cgi for the signing of the CSR by the CA. That works if the AKID/SKID are present or not, in terms of creating the root/host certificate.
What I don’t know yet is if the signing of the CSR by the CA does not have the AKID/SKID specified does this cause some other problem later on when creating the client connection certificates or doing a revocation action.
I will try out both approaches in my testing to be certain
That is great. Thanks very much. I can then enter all my investigation info and the patches I submit and the other devs can also then review and modify anything I do in case it has errors in it.
If you find anything further yourself in your investigation feel free to add the info into the bug report.