0

I was trying to connect to my company openvpn network via MacOS openvpn application and hitting the warning "The server vpn.my_company.com has an UNTRUSTED SSL certificate. Allow the connection to proceed?"

When clicking the "More details", the reason states that "X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired". But then I have the option to connect anyway

And I checked more for more info from the OpenVPN admin webpage, the Certificate "Validation Results" section displays:

Web Certificate/Key validation results.

Certificate Trust Warning: certificate has expired

Valid From: 2018.08.24 00:00:00 UTC

Valid Until: 2020.08.23 23:59:59 UTC --> which is few more months in future

My certificate is issued by COMODO and its status is still active. Also, when I access the vpn.my_company.com via web browser, the certificate is still fine, i.e no warning about the expired certificate

Any idea why the OpenVPN application keeps warning me about expired cert? And is my connection via openvpn application actually unsecured? Or I can just ignore the warning?

Thanks a lot for any comment on this :)

user87313
  • 103
  • 1

1 Answers1

0

This is the response I received from OpenVPN Support - Required me to update my intermediate cert

Hello,

The problem you have contacted us about relates to a problem with a certificate issued by COMODO/Sectigo Addtrust or some third-party issuing their certificates. If you experience problems with COMODO/Sectigo Addtrust certificates, we recommend that you contact them or your certificate issuer for support on their certificates.

Some of our customers have expressed a need for further support from us. Our policy on this is that this problem is not actually in the Access Server but is with the certificate or its CA bundle. It is outside the Access Server. But we can give you some advice and resources that can help though. For example, in the link to Sectigo support, there is mention of a cross-certificate. What this allows is to use a new valid certificate and validate that against an old CA root that is not expired. This can be done from the server side where the certificate and CA bundle are installed. It involves getting the CA bundle from your certificate issuer, and adding to it the contents of the cross-certificate as found on the Sectigo website. This allows an SSL client trying to validate to use an old CA root that isn’t expired. So if you are a system administrator encountering problems with these certificates from COMODO/Sectigo AddTrust, then you may want to consider this option. Further resources are found below.

On May 30th of 2020, a CA root certificate by COMODO/Sectigo Addtrust expired. After that date, any legacy systems that use this CA root certificate will experience an outage or display an error message like "certificate is expired" or "certificate is invalid" when verifying a certificate signed by COMODO/Sectigo Addtrust.

What can happen in certain cases is that you might have a certificate that is valid, but because the CA root certificate it chains to for verification is expired, you will still get a message saying that the certificate is expired or invalid.

More information on the problem and possible solutions can be found here on the official Sectigo website: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

Sectigo has other, older, legacy roots apart from the AddTrust root, and they have generated cross-certificates from one in order to extend backward compatibility. The cross certificate is signed by the root called “AAA Certificate Services". Customers who have embedded AddTrust External CA Root into their applications or custom legacy devices may need to embed the new USERTrust RSA CA Root replacement.

Older Access Servers can contain CA root information that is outdated. To resolve that, you can update the Access Server to the latest version that contains the most up-to-date information.

If you experience problems with COMODO/Sectigo Addtrust certificates, we recommend that you contact them or your certificate issuer for support on their certificates.

Kind regards, Johan Draaisma, Access Server and OpenVPN core project manager - Stay up to date with latest security developments: https://openvpn.net/security-advisories/

guest123456
  • 16
  • brilliant!! Thanks very much!! I will try to update the OpenVPN then – user87313 Jun 01 '20 at 04:17
  • But I dont think update the cert is required though, I just upgrade the OpenVPN AS, or faster way is to just download the client.ovpn file and import manually again. That fixes the problem in my case – user87313 Jun 01 '20 at 10:08