OpenVPN Connect complains invalid certificate

First: I think OpenVPN Connect is wrong for claiming the certificate chain is self-signed. It does not match the validation behavior of other clients like browsers.

The default certificate bundle that Let's Encrypt suggests is:

i3vpn.com ← R3 ← ISRG Root X1

Usually including the "ISRG Root X1" root would not be necessary, but it is included in order to address compatibility issues with older Android devices.

It seems that OpenVPN connect is detecting that bundled "ISRG Root X1" certificate as self-signed.

nginx.org on the other hand, is using the short alternate chain:

nginx.org ← R3

I think if you configure your certificate to not include the cross-signed "ISRG Root X1" certificate in your chain, the OpenVPN connect error should go away. However, this may affect compatibility with older Android devices.

You can try change to the shorter version of the chain by renewing your certificate:

sudo certbot renew --cert-name l3vpn.com --preferred-chain "ISRG Root X1" --force-renewal

and see whether it makes any difference.

Please be mindful of rate limits, renewing a certificate this way will use 1 out of 5 total weekly certificates you can create for this domain.

2 Likes