WARNING: Your certificate has expired!

littlepepega · November 5, 2025, 9:49am

Hello,

It seems I have a problem with server certificate but there is no information about how to renew it. I don’t have a domain, clients connecting to IP. Server log: WARNING: Your certificate has expired!

littlepepega · November 5, 2025, 2:00pm

I accidentally found out that the certificate is issued for 10 years with no option to renew. By the time I discovered this, I had already spent 4 hours of downtime. I’d really like to see this information in the documentation - especially since I’m a paid subscriber.

zach · November 5, 2025, 3:48pm

This was improved in v1.32.4400.99 which will show a warning in the web console when this is occurring. It will require deleting the organization and creating a new one.

tomconnors · November 17, 2025, 3:47pm

I’m also seeing this warning, and my users can’t connect to the VPN. Am I understanding correctly that the only option is to delete the existing organization and users and recreate new users in a new organization, and have my users set up new VPN client configs for their new user accounts?

zach · November 17, 2025, 11:07pm

Yes that is currently the only option, an option to renew it will be added in the future.

zach · November 18, 2025, 12:41am

I have developed a solution to this issue to renew a organization CA certificate and all user certificates with minimal disruption. A command pritunl renew-org <org_id> will be added to the next release that will renew the organization CA certificate then iterate through all users and renew the user certificate. This could take several minutes for large organizations so it will only be available on a command to avoid disrupting the process before it completes.

Currently the client configuration sync will only accept an updated CA certificate not a user certificate. An updated client release will be made available to sync the user certificate using configuration sync. Users that have an old user certificate should be able to continue to connect assuming it is not expired. An expired user certificate is less likely as these were likely created later on.

Moor · November 18, 2025, 11:40am

Could you tell me which versions this affects?

zach · November 18, 2025, 11:50am

This doesn’t effect any specific version. Originally organizations were created with CA certificates that had a 10 year expiration. Pritunl was released just over 10 years ago. As these old installations start hitting the 10 year expiration the error will occur. The current version creates CA certificates with a 30 year expiration.

Nicolas · November 18, 2025, 7:21pm

pritunl client sync for CA and client cert mean a PKI server could push organization CA with the api ? or pritunl could ask the pki server for renewed intermediate CA before it exipre ? issue client cert with the newer intermediate CA instead of the old one and sync to pritunl client after disconnect and re-auth ? just asking but for this we should be able to set the validation period of client cert too for this to make sense. vpn server will need to rotate it’s new certificate too at some point

zach · November 18, 2025, 8:57pm

The next release will have the option sudo pritunl set user.cert_expire_days 10000 to adjust the certificate expiration.