OpenVPN AS "Certificate Trust Warning - unable to get local issuer certificate"

[TeleBrady]

Hello,

My GoDaddy-issued SSL certificate will expire soon, so I was trying to replace it with a free Let's Encrypt one using these instructions.

When I go to upload the new certificate using the web UI and I click "validate", I get a "Certificate Trust Warning - unable to get local issuer certificate" error on screen, but under that the "Certificate/Hostname" shows a match and everything else looks good. From here I revert because I don't want anything to break due to that error, but the current certificate will expire soon anyway.

From what I've read it sounds like I need a separate intermediate certificate(?). Can anyone please tell me what I'm missing or let me know where I need to look to help me figure that out?

OpenVPN Access Server v2.8.5

[openvpn_inc]

Hi,

This message can occur in a variety of programs that try to verify the identity of a server using its public certificate. It can happen in OpenVPN Connect, but it can also occur in a web browser or a test program for SSL connections. The error occurs when the path from your server's certificate to a trusted root authority certificate can’t be established. Certificates are hierarchical, and each certificate knows its direct parent above it using a unique fingerprint. Using this method a chain can be formed going from your server certificate, to the certificate issuer, and from there to a (trusted) root authority. Sometimes there are more steps. Sometimes the direct parent is the root authority. But in most cases, there are steps in between called intermediaries. If there is one, only one intermediate certificate needs to be added to your chain of certificates. If there are more, you can copy-paste them into one file, one after the other, to make an intermediary bundle file containing all the intermediaries to complete the path of trust. If you already had a working certificate before but now have a new one from a different issuer, you will also need to update your intermediaries.

Regards,
.\kionci

[TeleBrady]

Thank you for that information kionci.

I was never able to resolve this. Open VPN AS still reports "unable to get local issuer certificate" under "Validation Results", but my browser has no issues with the certificate and SSL Labs shows that it's configured correctly, so I'm not sure why Open VPN AS is yelling about the issuer cert. My theory is that Open VPN AS is looking at an incorrect or outdated local root cert or something, but because this isn't throwing up any errors in the browser I just decided to ignore the warning that Open VPN is throwing and move on.

[openvpn_inc]

Hi,

For all cases where a certificate is in doubt, run it through a checker like https://www.digicert.com/help to see what it reports.

Regards,
.\kionci

[ronaldgevern]

This SSL error occurs when the SSL/TLS client cannot verify the server's certificate due to the absence of the issuer's certificate in its trusted store. To resolve this, ensure the system time and date are accurate, update the trusted CA certificate bundle, explicitly specify the CA certificate if available, verify the certificate chain for completeness, and check for any network connectivity issues caused by firewalls or proxies. These steps will help address the SSL error "unable to get local issuer certificate" and enable successful establishment of secure connections.