SoftEther VPN User Forum

Hello everyone,
Since this morning, my Android smartphone can no longer connect to my softetherVPN server. I have an error message regarding the certificate verification. (see screenshot). I am using the OpenVPN clone server feature, and I connect my phone using openVPN connect. it had been working perfectly for over two years. I'm wondering if this could be related to the expiration of Let's Encrypt's root certificate (IdentTrust DST Root CA X3) https://scotthelme.co.uk/lets-encrypt-o ... xpiration/ . Somebody have any workaround maybe?

Now you know that the root CA expired. Why not replacing it? Let's encrypt now has a new root.

I had to replace/renew several LE certificates today.
Isnt it a little bit strange/unsusal that LE did issue certificates which had a longer lifetime then the Root CA? Windows did not complain, but iphone and android did, also antivirus programs.
I learnt the a CA may not issue a certificate which has a longer life time the the CA.
Does anyone here has good knowledge how it should work?

Because it’s cross signed.

But then the behaviour I saw today is a client problem of android and ios devices?
If the certificate is signed by multiple authorities it should be good anyway even one of the signing CAs is expired?

1. Softether official client does not perform TLS server verification.
2. With standard TLS verification and up-to-date trust store installed this is true. So browsers won’t complain for the expiry today. But OpenVPN works differently.

Thank you. Confirms my guess
(my problem were not with softether, but with microsoft exchange certificates and clients)

eddiewu wrote: ↑

Thu Sep 30, 2021 2:24 pm

Now you know that the root CA expired. Why not replacing it? Let's encrypt now has a new root.

My own Let's Encrypt certificate is up to date. I have the new ISRG Root X1 root certificate installed on my server (Windows). I am using Softether's GUI to automatically generate my OpenVPN configuration file with the one click button. I tried to make a new config file, but Softether no longer creates a client certificate for me in the config file. for the other machines connected in VPN with the Softether client, no problem, everything works normally with certificate authentication.

I’m confused. Where is your issue? Server certificate or client certificate?
I don’t know how you installed the root ca. You need to renew the Let’s encrypt cert first and set it as server certificate. You also want to make sure that chain_certs stores the new intermediate and the root and no others. It should be automatically populated when setting new server certificate.
Client certificate is completely a different story.

Nervermind! After a second renewal of the server certificate, everything seems to work normally again. I must have missed something the first time. Thank you very much for your help and patience!