Not using OpenVPN on MT, nor v2.3 but the error seems to be triggered by the ExtendedKeyUsage extension.
If i got it right then OpenVPN2.4 is doing some checks on the certificate and yours is not generated the right way.
Good hardware but poor overall package (software and hardware).
Now the logical question - was Mikrotik aware?
Are there AC2 with correct placement of the heatsink?
Will Mikrotik partners be replacing units with the mentioned "design" or the users will be forced to fix the problem by themselves.