I'm pretty sure you would need to use OpenVPN to get the cert/chain used.
Well, without a hostname to connect to, I can't test anything anyway
Yeah, thanks for the thought, but I'm not going to post VPN domains here
Is there a certificate further up the chain that I could install to avoid this issue in future if they fail at the next renewal?
Allister999 could you confirm that you're definitely not having the problem outlined in the linked issue ISRG Root lazy loading problem + missing from (random) updated Windows 10 versions
It sounds like it may be possible this is the underlying problem you're having and it also seems some people in this thread may not be aware of this as well.
It's hard for me to state where the issue is precisely. We had an issue on renewal of certificate that meant only Windows 10 machines failed to connect to our VPN service until we installed the renewed certificate locally. This was multiple W10 machines on multiple sites. No MacOS or IOS device experienced a connection issue. If you have any tests that I can try and narrow it down.
- Fresh windows 10 VM/machine
- Don't browse to any sites using a browser
- Configure IKEv2 profile
- See if it fails (should)
- Open IE/edge to https://valid-isrgrootx1.letsencrypt.org/ (triggers loading of ISRG Root X1)
- Try connecting to IKEv2 server again (should pass)
Confirms rasdial lazy-load of root issue in the other thread.