OpenVPN: Server Certificate verification failed

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
OMNi
Posts: 3
Joined: Thu Sep 30, 2021 1:53 pm

OpenVPN: Server Certificate verification failed

Post by OMNi » Thu Sep 30, 2021 2:21 pm

Hello everyone,
Since this morning, my Android smartphone can no longer connect to my softetherVPN server. I have an error message regarding the certificate verification. (see screenshot). I am using the OpenVPN clone server feature, and I connect my phone using openVPN connect. it had been working perfectly for over two years. I'm wondering if this could be related to the expiration of Let's Encrypt's root certificate (IdentTrust DST Root CA X3) https://scotthelme.co.uk/lets-encrypt-o ... xpiration/ . Somebody have any workaround maybe?
Image

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: OpenVPN: Server Certificate verification failed

Post by eddiewu » Thu Sep 30, 2021 2:24 pm

Now you know that the root CA expired. Why not replacing it? Let's encrypt now has a new root.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: OpenVPN: Server Certificate verification failed

Post by nobody12 » Thu Sep 30, 2021 4:15 pm

I had to replace/renew several LE certificates today.
Isnt it a little bit strange/unsusal that LE did issue certificates which had a longer lifetime then the Root CA? Windows did not complain, but iphone and android did, also antivirus programs.
I learnt the a CA may not issue a certificate which has a longer life time the the CA.
Does anyone here has good knowledge how it should work?

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: OpenVPN: Server Certificate verification failed

Post by eddiewu » Thu Sep 30, 2021 4:35 pm

Because it’s cross signed.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: OpenVPN: Server Certificate verification failed

Post by nobody12 » Thu Sep 30, 2021 4:40 pm

But then the behaviour I saw today is a client problem of android and ios devices?
If the certificate is signed by multiple authorities it should be good anyway even one of the signing CAs is expired?

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: OpenVPN: Server Certificate verification failed

Post by eddiewu » Thu Sep 30, 2021 5:20 pm

1. Softether official client does not perform TLS server verification.
2. With standard TLS verification and up-to-date trust store installed this is true. So browsers won’t complain for the expiry today. But OpenVPN works differently.

nobody12
Posts: 139
Joined: Sat Feb 13, 2021 10:22 pm

Re: OpenVPN: Server Certificate verification failed

Post by nobody12 » Thu Sep 30, 2021 5:27 pm

Thank you. Confirms my guess
(my problem were not with softether, but with microsoft exchange certificates and clients)

OMNi
Posts: 3
Joined: Thu Sep 30, 2021 1:53 pm

Re: OpenVPN: Server Certificate verification failed

Post by OMNi » Thu Sep 30, 2021 8:18 pm

eddiewu wrote:
Thu Sep 30, 2021 2:24 pm
Now you know that the root CA expired. Why not replacing it? Let's encrypt now has a new root.
My own Let's Encrypt certificate is up to date. I have the new ISRG Root X1 root certificate installed on my server (Windows). I am using Softether's GUI to automatically generate my OpenVPN configuration file with the one click button. I tried to make a new config file, but Softether no longer creates a client certificate for me in the config file. for the other machines connected in VPN with the Softether client, no problem, everything works normally with certificate authentication.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: OpenVPN: Server Certificate verification failed

Post by eddiewu » Fri Oct 01, 2021 12:12 am

I’m confused. Where is your issue? Server certificate or client certificate?
I don’t know how you installed the root ca. You need to renew the Let’s encrypt cert first and set it as server certificate. You also want to make sure that chain_certs stores the new intermediate and the root and no others. It should be automatically populated when setting new server certificate.
Client certificate is completely a different story.

OMNi
Posts: 3
Joined: Thu Sep 30, 2021 1:53 pm

Re: OpenVPN: Server Certificate verification failed

Post by OMNi » Fri Oct 01, 2021 11:36 am

Nervermind! After a second renewal of the server certificate, everything seems to work normally again. I must have missed something the first time. Thank you very much for your help and patience!

Post Reply