Help Center/ Virtual Private Network/ Troubleshooting/ Client Connection Failures/ The Client Log Contains "error=unable to get issuer certificate:".
Updated on 2025-05-14 GMT+08:00
View PDF
Share

The Client Log Contains "error=unable to get issuer certificate:".

Applicable Client

Windows OpenVPN GUI

Symptom

The client cannot connect to the P2C VPN gateway. The client log contains the following error information:

error=unable to get issuer certificate:

Possible Causes

The certificate chain of server certificates is incomplete. As a result, the client cannot verify the validity of the CA certificates in the configuration file.

Procedure

  1. Open the client_config.ovpn file using Notepad or Notepad++.
  2. Check the number of CA certificates in the client configuration file.
  3. Double-click each CA certificate in client configuration file, click the Certification Path tab, and check whether the issuers and subjects of the certificates form a complete certificate chain.
    • If the issuer and subject of the top-level certificate are the same, the certificate chain is complete, as shown in Figure 1.
      Figure 1 Complete CA certificate chain
    • If the issuer and subject of the top-level certificate are different, the certificate chain is incomplete. Perform the following operations to supplement the certificate chain information:
    1. Create a Notepad file.
    2. Copy the CA certificate content in client_config.ovpn to the new Notepad file. The format of the certificate content is as follows: 
      <ca>
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----
</ca>
    3. Save the file and name it ca.crt.
    4. Export the upper-level certificate of the CA certificate in use.
      1. Double-click the CA certificate, click the Certification Path tab, and view the upper-level certificate of the CA certificate.
      2. Select the upper-level certificate, and click View Certificate. A new window containing the upper-level certificate is displayed.
      3. Click the Details tab, and click Copy to File.
      4. Click Next.
      5. Select Base-64 encoded and click Next.
      6. Enter a file name, for example, root-ca.cer.
      7. Click Next and then Finish.

        If the configuration file contains two CA certificates, export the upper-level certificates of the two CA certificates.

    5. Copy the content of the upper-level certificate root-ca.cer to the client configuration file.
      1. Open the root-ca.cer and client_config.ovpn files using Notepad or Notepad++.
      2. Copy the content of the upper-level certificate below the existing CA certificate in the client_config.ovpn file.

        The format of the certificate content is as follows:

        -----BEGIN CERTIFICATE-----
Existing CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Upper-level CA certificate
-----END CERTIFICATE-----
      3. Save the .ovpn configuration file.
    6. Start the OpenVPN client.
    7. Import the new client configuration file.
    8. Use the client to reconnect to the VPN gateway.
    9. Press Win+R and enter cmd to open the command window.

    10. XX.XX.XX.XX indicates the private IP address of the ECS to be connected. Replace it with the actual private IP address.

      If information similar to the following is displayed, the client can communicate with the ECS:

      64 bytes from XX.XX.XX.XX: icmp_seq=1 ttl=63 time=1.27 ms
64 bytes from XX.XX.XX.XX: icmp_seq=2 ttl=63 time=1.36 ms
64 bytes from XX.XX.XX.XX: icmp_seq=3 ttl=63 time=1.40 ms
64 bytes from XX.XX.XX.XX: icmp_seq=4 ttl=63 time=1.29 ms
64 bytes from XX.XX.XX.XX: icmp_seq=5 ttl=63 time=1.35 ms
64 bytes from XX.XX.XX.XX: icmp_seq=6 ttl=63 time=1.52 ms

If the problem persists, submit a service ticket to contact Huawei technical support.