Cert problems after Let's Encrypt root / intermediate expiration

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
mgrommet
OpenVpn Newbie
Posts: 3
Joined: Thu Sep 30, 2021 9:40 pm

Cert problems after Let's Encrypt root / intermediate expiration

Post by mgrommet » Thu Sep 30, 2021 10:00 pm

Hi folks, here's the scoop:
- Running Access Server v2.7.4
- Ubuntu 18.04 VM
- Using certbot to regularly renew cert
- Let's Encrypt root / immediate certs expired today, so I'm pretty sure it has something to do with this, but haven't been able to track it down.
- Our OpenVPN client is older, but I tried the latest and greatest too.

This has all been working very well. Until today. We started getting certificate errors from our client connections (Win 10) stating that the certificate wasn't trusted because it had expired. We went ahead and reissued the cert with certbot, but this didn't resolve the issue.

In the Access Server UI, under Web Server --> Validation Results, the server gives a Certificate Trust Warning that the 'certificate has expired'

I've used openssl to look at the contents of the cert and the chain pem files and nothing is past the expiration date. When browsing to the Access Server UI, browsers don't seem to have any problems with the certs either.

As far as I can tell, there's nothing setting certificate details in the internal configuration db.

What am I missing? I'd appreciate a friendly shove in the right direction.

M.

ShuffleShoes
OpenVpn Newbie
Posts: 2
Joined: Fri Oct 01, 2021 2:45 am

Re: Cert problems after Let's Encrypt root / intermediate expiration

Post by ShuffleShoes » Fri Oct 01, 2021 2:48 am

I've noticed this as well.

I saw that the certificate fingerprint on the client matched the Lets Encrypt cert (WebUI). But the client is reporting that its invalid.

+1 with OP. any advice would be appreciated.

ShuffleShoes
OpenVpn Newbie
Posts: 2
Joined: Fri Oct 01, 2021 2:45 am

Re: Cert problems after Let's Encrypt root / intermediate expiration

Post by ShuffleShoes » Fri Oct 01, 2021 3:29 am

Figured it out!

The expired root certificate is included in the OVPN profile file. this needs to be replaced with a updated profile that contains the new certificates.

how to fix:
1. Ensure you've patched OS and the openvpn server is up to date first as the new certificates are included in a package update.
2. Then get your users to re-download the profile from the web-ui and import it.
3. when they connect with the new profile, there will be no warning.

let me know if it fixes your issue

mgrommet
OpenVpn Newbie
Posts: 3
Joined: Thu Sep 30, 2021 9:40 pm

Re: Cert problems after Let's Encrypt root / intermediate expiration

Post by mgrommet » Fri Oct 01, 2021 4:36 pm

I inherited this VM, and this is my first experience with OpenVPN. I believe it was originally created as an Azure VM image with OpenVPN pre-installed, and then upgraded to 2.7.4 and then configured.

I tried doing an Open VPN Access Server upgrade through apt, and it kind of exploded on me. Server no longer responded to incoming https requests, etc... So for the moment, I've restored from backup as some of my clients are still able to connect and work with the 'expired' cert ... I may not have the same features enabled as you, or maybe it's a difference in my version, but clients connecting to the UI via https don't have an option to download a profile.

It does look like I can generate new clients using the CLI, but not sure that does me any good until I can get the root / intermediate certs handled.

Isn't learning during a crisis fun? :)

mgrommet
OpenVpn Newbie
Posts: 3
Joined: Thu Sep 30, 2021 9:40 pm

Re: Cert problems after Let's Encrypt root / intermediate expiration

Post by mgrommet » Mon Oct 04, 2021 1:35 pm

Just a final follow up here:

The final fix for us was a tactical fix to go ahead and drop in a cert from Go Daddy. Love the idea of Let's Encrypt, but it was causing too much of a disruption to our team. The cert was cheap, at least.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Cert problems after Let's Encrypt root / intermediate expiration

Post by openvpn_inc » Thu Oct 14, 2021 11:54 am

Hello,

The issue is related to a missing OpenSSL flag in Electron. This has been acknowledged as a bug. We're currently looking into backporting a fix for this.

As a workaround you can remove the "ISRG Root X1" certificate from the CA bundle. That should avoid the program following the path to the expired root CA. Or install another certificate from another provider.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply