OpenVPN Connect complains invalid certificate

vicn1222 · October 23, 2022, 1:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: l3vpn.com

I ran this command: sudo certbot certonly --apache

It produced this output:

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes, full control

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0

Hi, I follow instructions at Certbot Instructions | Certbot and successfully installed the certificate. All browsers show valid certificate without issue.

However, when I try to import openvpn profile into OpenVPN Connect via URL, it complains invalid certificate.

I look for other websites that use letsencrypt. When I enter their url into OpenVPN Connect, they all show invalid certificate, except https://nginx.org/, in which case OpenVPN Connect recognizes it as valid certificate withour compplaint.

I wonder how nginx.org generates its letsencrypt certificate.

Many thanks

_az · October 23, 2022, 2:28am

First: I think OpenVPN Connect is wrong for claiming the certificate chain is self-signed. It does not match the validation behavior of other clients like browsers.

The default certificate bundle that Let's Encrypt suggests is:

i3vpn.com ← R3 ← ISRG Root X1

Usually including the "ISRG Root X1" root would not be necessary, but it is included in order to address compatibility issues with older Android devices.

It seems that OpenVPN connect is detecting that bundled "ISRG Root X1" certificate as self-signed.

nginx.org on the other hand, is using the short alternate chain:

nginx.org ← R3

I think if you configure your certificate to not include the cross-signed "ISRG Root X1" certificate in your chain, the OpenVPN connect error should go away. However, this may affect compatibility with older Android devices.

You can try change to the shorter version of the chain by renewing your certificate:

sudo certbot renew --cert-name l3vpn.com --preferred-chain "ISRG Root X1" --force-renewal

and see whether it makes any difference.

Please be mindful of rate limits, renewing a certificate this way will use 1 out of 5 total weekly certificates you can create for this domain.

vicn1222 · October 23, 2022, 4:07pm

I did the way as you suggested, and OpenVPN Connect no longer complains the certificate is invalid. Don't know how this may affect the older Android devices though, as I don't have one.

Thank you for your help!

system · November 22, 2022, 4:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.