OpenVPN Access Server Error with LE - "Certificate Trust Warning - unable to get local issuer certificate"

Hello,

I'm trying to issue and deploy a new LE cert on one of my sub domains for my OpenVPN server. I followed these instructions which were pretty standard. Here's what I did -

Generate a new certificate bundle using
sudo certbot certonly --standalone --preferred-challenges http -d connect.bestpickreports.com

Output the certificate text using cat and then copy and paste that output to a local file with the same filenames -
sudo cat /etc/letsencrypt/live/connect.bestpickreports.com/fullchain.pem
sudo cat /etc/letsencrypt/live/connect.bestpickreports.com/privkey.pem

When I deploy fullchain.pem for the cert and privkey.pem for the key, OpenVPN give me this error -

"Certificate Trust Warning - unable to get local issuer certificate"

When I check the generated certificates using openssl verify I also get that error (details included below).

FYI - because of the error I never actually deployed the certificates, so if you check my domain you'll see the old (currently valid) certificates and not the LE ones that I'm having trouble with.

Can anyone please help me figure out why this isn't working?

Details-
My domain is:
connect.bestpickreports.com

I ran this command:
openssl verify -CAfile chain.pem cert.pem

openssl verify fullchain.pem

It produced this output:

C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error cert.pem: verification failed

CN = connect.bestpickreports.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed

My web server is (include version):
OpenVPN Access Server v2.8.5 (I'm not sure what web server it runs off of, nginx?)

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.28.0

Additional Commands & Output:
~$ ls -l /etc/ssl/certs/ca-bundle.crt

ls: cannot access '/etc/ssl/certs/ca-bundle.crt': No such file or directory

~$ ls -l /etc/ssl/certs/ISRG_Root_X1.pem

lrwxrwxrwx 1 root root 51 Jun 11 2020 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

~$ openssl version

OpenSSL 1.1.1 11 Sep 2018

Contents of fullchain.pem -

-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISBCB2I5tqX5KyJNQJD5iXzP0oMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA2MjUxODI1MjlaFw0yMjA5MjMxODI1MjhaMCYxJDAiBgNVBAMT
G2Nvbm5lY3QuYmVzdHBpY2tyZXBvcnRzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALz619fo0sBX65tDuIH6bwqhUu5bXWJNdiwIj3IB46W+FalQ
iouzB/xC9FWt3AcKtwbtAtM6JrrOhqSP5lGquLzStFv3jcrdy0hZFI4zesRpz5Ax
wdETS/NvkylXh5sN2HkVVKxhmtge32KQ/gMvDA1BC9PoWLJTgmaJDbqdN5ufqoUU
0TQOEG1e2CrCySzU6yChochg2TFGMrr+zh09BsUOW1j0CLEXubPMgFAPLxBm29+7
e4xSut0NQSheOXMiYHQaZpUeUcrhYb/ftZWHg2htzLFtG+L7qKBV8bXpZje6kJoI
/vIroEfA+kVXhkMaLqXHnvJNp8S/ippWy5riJvECAwEAAaOCAlcwggJTMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQU5tHv0APXJXu82Hv9q8tQqk2e3LwwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wJgYDVR0RBB8wHYIbY29ubmVjdC5iZXN0cGlja3JlcG9y
dHMuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHW
eQIEAgSB9gSB8wDxAHYA36Veq2iCTx9sre64X04+WurNohKkal6OOxLAIERcKnMA
AAGBnFOL0gAABAMARzBFAiAG2NZ2t5t0YOZtSgLoh/i29Fx4cXi1wKHdTNyEQiuV
5QIhAPx8NejPGvkgKZWhbFMreTn+tym292ePOVDUHPfSh88LAHcARqVV63X6kSAw
taKJafTzfREsQXS+/Um4havy/HD+bUcAAAGBnFOMZwAABAMASDBGAiEA1BVLL0YJ
KPyul/C7CQ7yX5HZfsYcUMMS1Z2e0zR7GKkCIQDOWGiTWCSEijS5XD0oT8SIqSrL
xrsII4YExJl40AxrIjANBgkqhkiG9w0BAQsFAAOCAQEABiCWeFS1IM7vj83TmztQ
z1y3fB8guyJQH+YPvl0PwZUHQvIF9OrutAl14cX9eepMAFu1csKyqx/lJV615d/r
DH1Zv7hj8a1sUXs8kTsqnWpKjjlEaAu2P7f2XmnN+N1lG65J5Xq6AeIWqI5wZjMy
N1kxo3tpTcGP+4N1AUjIM/ZrVQkKCduD3aRVqfkrEC8ah1vA/i9k4MJMVFNsh3en
4xL8YhMcTNkBWR1JI64FxNvVQskjeUdsmUJnEHd2Z3q8GYPdyqASV/idLctsvccf
aAciZMR/08OEw/GgpqQJepLwxp6A5cXLxnrAXKRRbhq7XYqhe0Yg2CDhl08nWPmF
zA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Welcome to the community @TeleBrady

I don't have any great insights. I am not expert in OpenVPN servers. But, a couple things:

1. Instead of using cat and copy/paste use just cp or add >filename.pem to end of cat. That avoids possible extra pieces in the resulting cert file
2. The best way to use openssl for verify is found here

I searched this forum for OpenVPN and there is not much info. But, depending on your purpose for OpenVPN and its package you may not need Let's Encrypt certs at all. I know nothing more than what is provided in below post from credible source:

Thanks for the advice Mike.

I have to copy the files down to my Windows machine in order to then upload them via the OpenVPN interface (which allows me to do the dry-run and check the cert before deploying - the CLI functions do not), so the copy+paste method was the fastest, but I take your point on copying the output to a new file.

I ran the verify command again based on the thread you posted, and the outcome was "Ok" -

sudo openssl verify -untrusted /etc/letsencrypt/live/connect.bestpickreports.com/chain.pem
 /etc/letsencrypt/live/connect.bestpickreports.com/cert.pem

/etc/letsencrypt/live/connect.bestpickreports.com/cert.pem: OK

sudo openssl verify -untrusted /etc/letsencrypt/live/connect.bestpickreports.com/chain.pem /etc/letsencrypt/live/connect.bestpickreports.com/fullchain.pem

/etc/letsencrypt/live/connect.bestpickreports.com/fullchain.pem: OK

Not sure if that changes anything.

I'm continuing to research and from what I've found it's starting to sound like maybe my CA Certificates package is out of date, although I'm not sure on that and I'm reluctant to update until I find confirmation that that's actually the issue.

This is accurate. For certificate based authentication, you really need to be running your own private CA, possibly with an intermediate certificate dedicated to OpenVPN, depending on whether you use the private CA for other purposes.

You could probably get a site-to-site OpenVPN working with two endpoints that have valid public DNS, but a private CA is better suited. For remote access, you won't be able to issue user certificates from the Let's Encrypt CA.

Just to clarify, I'm only trying to use LE to add SSL to the Web Server configuration. I'm not positive but I think that's different from the method of authentication that the clients use to connect. This is an existing environment that is already working for site-to-site VPN as well as remote connections, but the current cert is expiring for the web server and so I'm trying to replace it.

Perfect. Thanks for the additional details. It should help readers approach this just like any other web server certificate, rather than getting distracted on OpenVPN.

My OpenVPN experience is primarily with the package on pfSense, so I'll have to check back in on this thread later after I have time to find and read some relevant information on the OpenVPN AS.

OK. Just to be clear ... are you trying to make sure this URL works? From a browser?

https://connect.bestpickreports.com

If so, please answer the original form questions but with info about your web server (not OpenVPN). Note that I cannot connect to that URL (it has faulty SSL config).

I also see active SSL certs from Amazon, Cloudflare, GoDaddy, and Let's Encrypt that could be used for this domain name. It would be helpful if you could explain your overall strategy. It is very unusual to see so many vendors involved for certs.

Yeah, I'm just trying to make sure that the VPN & web console endpoint is secured with TLS.

This is regarding the web server that OpenVPN deploys, and unfortunately I don't know what web server architecture OpenVPN uses. I've seen some people say nginx but I've also read that it's not a standard deployment. Aside from the web server question, everything else is accurate.

It depends on the subdomain and service, but to be clear this isn't my strategy, this is the environment of a subsidiary that I inherited. Multiple people have managed multiple pieces of this in the past, which is why you see so many vendors. Some of that is intentional though. I can't deploy the wildcard AWS cert to every service due to AWS limitations, so I'm deploying LE where I can as things expire. The majority of those services are ones that I haven't had any interaction or involvement with though. I know it's not ideal, but I can only change so much at once.

I think we misunderstood. When you said you wanted to add LE to a webserver we started thinking you meant something like Apache or nginx. If it's the OpenVPN server then nevermind. I still don't know how those work apart from the link I shared earlier.

Generally, this Let's Encrypt forum helps people obtain the certs. You've gotten those. Beyond that we often help configure common servers but we can't know how every server or client application works. It is ultimately up to the server admin to know how to do that.

If you can provide a URL that you want working from the public internet we maybe could give some advice.

And, perhaps @linkp or some other volunteer might know OpenVPN and be willing to help. Otherwise, maybe try a forum devoted to OpenVPN - like this one.

Thanks Mike.

I tried the OpenVPN forum without any luck (so far) but hopefully someone will chime in soon.

Some questions I still have -
Are my certs ok since they are displaying "ok" after running the modified 'openssl verify' command? Is it just a coincidence that it displays the same error as OpenVPN does ("unable to get local issuer certificate") when I verify the certs without using the '-untrusted' parameter? Finally, is there any legitimacy in my thinking that the CA Certificates bundle needs to be updated and the LE certs re-issued afterwards?

Yes, perhaps the CA bundle or store is outdated. But, the LE certs don't have to be reissued if that's the case. The LE certs are fine. It could be the server or client is just misconfigured instead. As noted, I don't know OpenVPN well enough to say.

That said, it might be necessary to use the "short chain" rather than the default "long chain". The message about local issuer cert usually means your application CA bundle (or CA store) does not have the ISRG Root X1 cert in it. In that case using the short chain won't help. I just mention this as some apps don't handle the expired intermediate in the default long chain properly.

Here are two links about the chain but it does "feel" like it is related to the CA store more than the chain.
Summary about short and long chains
Longer explanation about the chains

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.