OpenVPN AS (openvpn.net) set up in form of a virtual appliance for VMware ESXi. Setup worked fine. Using a self-signed cert. OpenVPN server is listening to a publicly routed IP. I am able to access the OpenVPN server and make the connection to the VPN from a remote Windows 7 SP1 64-bit machine just fine, using the OpenVPN 1.7.2 client.
Running the same client on Windows Server 2008 SP1 64-bit I can bring up the OpenVPN login screen but I am unable to actually make the connection to the VPN. The error message is:
Unexpected error: untrusted_cert
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
According to the docs the more in-depth explanation for this error is:
A self-signed certificate exists in the certificate chain. The certificate chain could be built up using the untrusted certificates, but the root CA could not be found locally.
In desperation I exported the self-signed cert from Firefox on the Server 2008 machine and added it MMC -> Certificates -> Trusted Root Certification Authorities -> Certificates. I read elsewhere that folks were able to fix similar (but not identical!) errors this way. It did not work.
The biggest problem is that I don't understand the error message. What is the root CA of an unsigned cert and where/how do I add it? I assume this would fix my problem?
Thanks in advance for your time and consideration.
Best Answer
The server likely has stricter settings regarding checking certificates' validity.
If you double-click on the certificate.crt file, it should open up in a window titled Certificate, with 3 tabs. Click on the 3rd tab, Certification Path. Hopefully, there's more than one certificate listed there in the Certification path. If not, let us know.
If there are at least 2, then click on the uppermost cert, then click on the View Certificate button. This is viewing the root CA's cert. Click on the Details tab, then Copy to File. Click Next, then you can leave it as the default format of DER encoded. Finish that off, it should be self-explanatory. Then double click that file and install the cert, allow it to auto select the certificate store, and Finish.
Close all instances of IE and try again. Hopefully that will help. Let us know if not.
Regarding your last question: When it says "unsigned cert", it really means that it's not signed by a trusted CA. It depends where/how you generated the certificate. Some systems have a system certificate, and this would have likely been used. Otherwise, some certs truly are "self-signed", where there isn't a root CA. This could be the case here, but you'll find that out from the above.