Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Peer Certificate Verification Failure

  • Updated

Description

While trying to connect to the VPN, you may face any of the following errors:

Peer certificate verification failure

or

certificate verify failed

Usually, this error happens when the OpenVPN CA certificate in your Access Server has expired. However, it can also occur if the OpenVPN server certificate or the VPN client certificate is expired.

Isolation

To identify the issue, you must determine which certificate has expired. The solution differs depending on your Access Server version.

Important: If you use the ePKI Feature in Access Server, you must generate a new OpenVPN CA, OpenVPN server, and VPN client certificates on your external PKI system, upload them to Access Server, and download new connection profiles (.ovpn files).

For Access Server 2.9.0 and newer

First of all, you will need to isolate which certificate has expired. You can do this from the Admin Web UI, command line, or by querying the database—either sqlite3 or mysql.

Option 1: Check expiration from the Admin Web UI

If you're the Access Server admin and you have access to the Admin Web UI, you can see the OpenVPN CA and VPN client certificate expirations by following the steps below:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CA Management to check the OpenVPN CA certificate expiration.
  3. Click User Management > User Profiles, select the affected user, and check the client certificate expirations for their downloaded connection profiles (.ovpn files).

Option 2: Check expiration using the CLI

If you're the Access Server admin and you have command-line interface (CLI) access, you can run the following commands:

  1. Connect to the console and get root privileges.
  2. Switch to the scripts directory: 
    cd /usr/local/openvpn_as/scripts/
  3. Check the OpenVPN CA certificate expiration: 
    ./sacli ShowCAs
    • An example output: 
      root@openvpnas:/usr/local/openvpn_as/scripts# ./sacli ShowCAs
      Sn         Type    Common Name    ClientCerts Valid from   Valid Until   KeyAlg Signing CA
      1744905062 Current CA OpenVPN CA  2           2015-04-14   2025-04-18    rsa2048 -
  4. Check the VPN client certificates expiration: 
    ./sacli ListClientsDetail
    • Below is an example of the output: 
      root@openvpnas:/usr/local/openvpn_as/scripts# ./sacli ListClientsDetail
      Sn  Common Name    User           Autologin TC2 Pkey Last Used   Valid from  Valid Until  KeyAlg   Signing CA  Device ID Comment
      3   brandonopenvpn brandonopenvpn         N   N    Y 2025-04-19  2025-04-16  2035-04-15   rsa2048  OpenVPN CA  None

Option 3: Check expiration using sqlite3

You can also use sqlite3 commands to check the certificates.

  1. Connect to the console and get root privileges.
  2. Check the OpenVPN CA certificate expiration: 
    sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where common_name='OpenVPN CA';"|openssl x509 -text -noout
    • Below is an example of the output: 
      root@openvpnas:~# sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where common_name='OpenVPN CA';"|openssl x509 -text -noout
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 1744905062 (0x68012366)
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: CN = OpenVPN CA
              Validity
                  Not Before: Apr 14 15:51:02 2015 GMT
                  Not After : Apr 18 15:51:02 2025 GMT
              Subject: CN = OpenVPN CA
  3. Check the OpenVPN server certificate expiration: 
    sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where common_name='OpenVPN Server';"|openssl x509 -text -noout
  4. Check the VPN client certificate expiration: 
    sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where username='brandonopenvpn';"|openssl x509 -text -noout
    • Replace brandonopenvpn with the Username of the affected VPN user.

Option 4: Check expirations using MySQL (for external MySQL setups)

In case you're using an external MySQL to store the Access Server configuration or using cluster, you can use the following MySQL commands from your Access Server CLI:

  1. Connect to the console and get root privileges.
  2. Run this command to see the OpenVPN CA Certificate expiration: 
    mysql -h openvpn.example.com -u openvpn_user -P 3306 -p as_certs -B --skip-column-names -e 'select cert from certificates where common_name = "OpenVPN CA";' | sed 's/\\n/\n/g' |openssl x509 -text -noout
    • Below is an example of the output: 
      root@openvpnas:~# mysql -h openvpn.example.com -u openvpn_user -P 3306 -p as_certs -B --skip-column-names -e 'select cert from certificates where common_name = "OpenVPN CA";' | sed 's/\\n/\n/g' |openssl x509 -text -noout
      Enter password:
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 1744905062 (0x68012366)
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: CN = OpenVPN CA
              Validity
                  Not Before: Apr 14 15:51:02 2015 GMT
                  Not After : Apr 18 15:51:02 2025 GMT
              Subject: CN = OpenVPN CA
  3. Run this command to see the OpenVPN server certificate expiration: 
    mysql -h openvpn.example.com -u openvpn_user -P 3306 -p as_certs -B --skip-column-names -e 'select cert from certificates where common_name = "OpenVPN Server";' | sed 's/\\n/\n/g' |openssl x509 -text -noout
  4. Run this command to see the VPN client certificate expiration: 
    mysql -h openvpn.example.com -u openvpn_user -P 3306 -p as_certs -B --skip-column-names -e 'select cert from certificates where username = "brandonopenvpn";' | sed 's/\\n/\n/g' |openssl x509 -text -noout
  5. Replace:
    • openvpn.example.com with the domain or IP of your MySQL server.
    • openvpn_user with the MySQL username.
    • 3306 with the MySQL port.
    • brandonopenvpn with the username of the affected VPN user.

Option 5: Check inside the connection profile (.ovpn file)

If you have the affected user's connection profile (.ovpn file), you can check it and see the OpenVPN CA, OpenVPN server, and VPN client certificates.

  1. Edit the user's connection profile (.ovpn file) with a text editor.
  2. Copy everything between <ca> and </ca>. Make sure you include all of the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- . This is the OpenVPN CA certificate.
  3. Use a Certificate Decoder to see the expiration of the Certificate
  4. Paste the contents between the <ca> and </ca> in the Paste Certificate Text box like this:
    • You will see the OpenVPN CA certificate expiration shown below that box under Certificate Information.
  5. Copy the contents between the <cert> and </cert>. Make sure you include all of the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- . This is the VPN client certificate.
  6. Paste the contents between the <cert> and </cert> in the Paste Certificate Text box, and you will see the VPN client certificate expiration.

For Access Server versions older than 2.9.0

Important: Access Server versions lower than 2.9.0 don't have the sacli ShowCAs and sacli ListClientsDetail commands. In addition, there is no way to generate a new OpenVPN CA from the Admin Web UI.

Option 1: Check expiration using sqlite3

If you're the Access Server admin and you have command-line interface (CLI) access, you can run the following commands:

  1. Connect to the console and get root privileges.
  2. Switch to the scripts directory: 
    cd /usr/local/openvpn_as/scripts/
  3. Check the OpenVPN CA certificate expiration: 
    sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where common_name='OpenVPN CA';"|openssl x509 -text -noout
    • Below is an example of the output: 
      root@openvpnas:~# sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where common_name='OpenVPN CA';"|openssl x509 -text -noout
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 1744905062 (0x68012366)
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: CN = OpenVPN CA
              Validity
                  Not Before: Apr 14 15:51:02 2015 GMT
                  Not After : Apr 18 15:51:02 2025 GMT
              Subject: CN = OpenVPN CA
  4. Run this command to see the OpenVPN Server Certificate expiration: 
    sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where common_name='OpenVPN Server';"|openssl x509 -text -noout
  5. Run this command to see the VPN Client Certificate expiration: 
    sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where username='brandonopenvpn';"|openssl x509 -text -noout
    • Replace brandonopenvpn with the Username of the affected VPN user.

Option 2: Check expiration using MySQL (for external MySQL setups)

Same steps and commands as for newer versions (see the earlier section).

Option 3: Check inside the connection profile (.ovpn file)

Same steps as for newer versions (see the earlier section).

Solution

Once you identify the expired certificate, take the appropriate action:

If the OpenVPN CA certificate has expired:

Option A: Upgrade Access Server to 2.9.0 or later.

  1. Upgrade Access Server.
    • A new OpenVPN CA certificate is automatically generated.
  2. Download new connection profiles (.ovpn files) for affected users.
  3. Test the VPN connection.

Option B: Generate a new CA certificate on Access Server 2.9.0 or newer.

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CA Management > Create New CA.
    • A new OpenVPN CA certificate is created.
  3. Download new connection profiles (.ovpn files) for affected users.
  4. Test the VPN connection.

Option C: Migrate to a new instance.

If you can't upgrade your Linux OS to an Access Server greater than 2.9.0 (possibly because you're using an old Linux OS such as Ubuntu 14.04 LTS or Ubuntu 16.04 LTS), follow the steps below:

  1. Migrate to a new instance by following this tutorial: How to Migrate an Access Server Installation.
    • Important: If you use a separate MySQL server, please create a server backup. The tutorial is for servers using the default sqlite3 database files.
  2. Download new connection profiles (.ovpn files) for affected users.
  3. Test the VPN connection.

Option D: Wipe the certificates database.

  1. Connect to the console and get root privileges.
  2. Switch to the scripts directory: 
    cd /usr/local/openvpn_as/scripts/
  3. Take a backup of your current Access Server configuration. You can follow this guide for this: Access Server Backup.
    • Important: If you use a separate MySQL server, please create a server backup. The above step is for servers using the default sqlite3 database files.
  4. Wipe the certs database data and re-create new certificates by using the below commands: 
    ./sa Init
  5. Download new connection profiles (.ovpn files) for affected users.
  6. Test the VPN connection.

If the VPN client certificate has expired:

  1. Generate a new VPN client certificate by downloading a new connection profile (.ovpn file) for the user.
  2. Test the VPN connection.

 

If you have additional questions, please submit a ticket.

Comments

0 comments

Please sign in to leave a comment.