Introduction
OpenVPN certificate verify failed means the TLS connection reached the point where OpenVPN could inspect the certificate chain, but trust validation did not succeed. In practice this is usually caused by the wrong CA, an expired or rotated certificate, the wrong certificate purpose, or time drift on one side of the tunnel.
Symptoms
- OpenVPN logs show
VERIFY ERRORorcertificate verify failed - The client reaches the server but disconnects before the tunnel forms
- The issue starts after certificate renewal or CA rotation
- Only one client or one environment fails while others still connect
Common Causes
- The client is using the wrong CA file or stale trust bundle
- The server or client certificate expired or rotated without matching config changes
- Extended key usage or certificate purpose no longer matches TLS expectations
- System time drift makes the certificate appear not yet valid or expired
Step-by-Step Fix
- 1.Read the exact OpenVPN verify error
- 2.The verify line usually tells you whether the problem is trust, purpose, expiry, or hostname.
bash
grep -i "verify" /var/log/openvpn.log- 1.Check the certificate chain with OpenSSL
- 2.Validate the actual CA and end-entity certificates outside OpenVPN first.
bash
openssl verify -CAfile ca.crt client.crt
openssl x509 -in client.crt -text -noout- 1.Confirm both sides use the intended CA and cert pair
- 2.Certificate rotation often leaves one side pointing to an older CA bundle.
bash
grep -E "ca |cert |key " client.ovpn
grep -E "ca |cert |key " /etc/openvpn/server.conf- 1.Check time and reconnect
- 2.If cert trust looks correct, verify system clocks and retry the handshake.
bash
date -u
timedatectlPrevention
- Rotate OpenVPN certificates and CA bundles with both sides in scope
- Monitor cert expiry and purpose before maintenance windows
- Keep OpenVPN logs retained long enough to compare pre- and post-rotation failures
- Validate the chain with OpenSSL whenever changing trust material