OpenVPN AS "Certificate Trust Warning - unable to get local issuer certificate"

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
TeleBrady
OpenVpn Newbie
Posts: 5
Joined: Mon May 16, 2022 11:47 pm

OpenVPN AS "Certificate Trust Warning - unable to get local issuer certificate"

Post by TeleBrady » Sat Jun 25, 2022 8:16 pm

Hello,

My GoDaddy-issued SSL certificate will expire soon, so I was trying to replace it with a free Let's Encrypt one using these instructions.

When I go to upload the new certificate using the web UI and I click "validate", I get a "Certificate Trust Warning - unable to get local issuer certificate" error on screen, but under that the "Certificate/Hostname" shows a match and everything else looks good. From here I revert because I don't want anything to break due to that error, but the current certificate will expire soon anyway.

From what I've read it sounds like I need a separate intermediate certificate(?). Can anyone please tell me what I'm missing or let me know where I need to look to help me figure that out?

OpenVPN Access Server v2.8.5

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 787
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN AS "Certificate Trust Warning - unable to get local issuer certificate"

Post by openvpn_inc » Fri Jul 15, 2022 3:51 pm

Hi,

This message can occur in a variety of programs that try to verify the identity of a server using its public certificate. It can happen in OpenVPN Connect, but it can also occur in a web browser or a test program for SSL connections. The error occurs when the path from your server's certificate to a trusted root authority certificate can’t be established. Certificates are hierarchical, and each certificate knows its direct parent above it using a unique fingerprint. Using this method a chain can be formed going from your server certificate, to the certificate issuer, and from there to a (trusted) root authority. Sometimes there are more steps. Sometimes the direct parent is the root authority. But in most cases, there are steps in between called intermediaries. If there is one, only one intermediate certificate needs to be added to your chain of certificates. If there are more, you can copy-paste them into one file, one after the other, to make an intermediary bundle file containing all the intermediaries to complete the path of trust. If you already had a working certificate before but now have a new one from a different issuer, you will also need to update your intermediaries.

Regards,
.\kionci
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

TeleBrady
OpenVpn Newbie
Posts: 5
Joined: Mon May 16, 2022 11:47 pm

Re: OpenVPN AS "Certificate Trust Warning - unable to get local issuer certificate"

Post by TeleBrady » Tue Jul 19, 2022 5:02 pm

Thank you for that information kionci.

I was never able to resolve this. Open VPN AS still reports "unable to get local issuer certificate" under "Validation Results", but my browser has no issues with the certificate and SSL Labs shows that it's configured correctly, so I'm not sure why Open VPN AS is yelling about the issuer cert. My theory is that Open VPN AS is looking at an incorrect or outdated local root cert or something, but because this isn't throwing up any errors in the browser I just decided to ignore the warning that Open VPN is throwing and move on.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 787
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN AS "Certificate Trust Warning - unable to get local issuer certificate"

Post by openvpn_inc » Thu Jul 21, 2022 3:50 pm

Hi,

For all cases where a certificate is in doubt, run it through a checker like https://www.digicert.com/help to see what it reports.

Regards,
.\kionci
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply