OpenVPN Support Forum

Hi folks, here's the scoop:
- Running Access Server v2.7.4
- Ubuntu 18.04 VM
- Using certbot to regularly renew cert
- Let's Encrypt root / immediate certs expired today, so I'm pretty sure it has something to do with this, but haven't been able to track it down.
- Our OpenVPN client is older, but I tried the latest and greatest too.

This has all been working very well. Until today. We started getting certificate errors from our client connections (Win 10) stating that the certificate wasn't trusted because it had expired. We went ahead and reissued the cert with certbot, but this didn't resolve the issue.

In the Access Server UI, under Web Server --> Validation Results, the server gives a Certificate Trust Warning that the 'certificate has expired'

I've used openssl to look at the contents of the cert and the chain pem files and nothing is past the expiration date. When browsing to the Access Server UI, browsers don't seem to have any problems with the certs either.

As far as I can tell, there's nothing setting certificate details in the internal configuration db.

What am I missing? I'd appreciate a friendly shove in the right direction.

M.

I've noticed this as well.

I saw that the certificate fingerprint on the client matched the Lets Encrypt cert (WebUI). But the client is reporting that its invalid.

+1 with OP. any advice would be appreciated.

Figured it out!

The expired root certificate is included in the OVPN profile file. this needs to be replaced with a updated profile that contains the new certificates.

how to fix:
1. Ensure you've patched OS and the openvpn server is up to date first as the new certificates are included in a package update.
2. Then get your users to re-download the profile from the web-ui and import it.
3. when they connect with the new profile, there will be no warning.

let me know if it fixes your issue

I inherited this VM, and this is my first experience with OpenVPN. I believe it was originally created as an Azure VM image with OpenVPN pre-installed, and then upgraded to 2.7.4 and then configured.

I tried doing an Open VPN Access Server upgrade through apt, and it kind of exploded on me. Server no longer responded to incoming https requests, etc... So for the moment, I've restored from backup as some of my clients are still able to connect and work with the 'expired' cert ... I may not have the same features enabled as you, or maybe it's a difference in my version, but clients connecting to the UI via https don't have an option to download a profile.

It does look like I can generate new clients using the CLI, but not sure that does me any good until I can get the root / intermediate certs handled.

Isn't learning during a crisis fun?

Just a final follow up here:

The final fix for us was a tactical fix to go ahead and drop in a cert from Go Daddy. Love the idea of Let's Encrypt, but it was causing too much of a disruption to our team. The cert was cheap, at least.

Hello,

The issue is related to a missing OpenSSL flag in Electron. This has been acknowledged as a bug. We're currently looking into backporting a fix for this.

As a workaround you can remove the "ISRG Root X1" certificate from the CA bundle. That should avoid the program following the path to the expired root CA. Or install another certificate from another provider.

Kind regards,
Johan