ExpressVPN CA Certificate Expiration

greven

Is anyone using expressVPN and also getting a warning that their CA certificate is expiring (April 1, 2026)
I have tried importing the new certificate (ExpressVPN CA3) from a newly downloaded ovpn file and using it in my openvpn settings, but I keep getting a TLS error when I try to use it.
I have asked expressVPN and they say that it may be the software on the router that is too old. I am using a CE version 2.8.1.
Can anyone confirm this?

nimrod

@greven said in ExpressVPN CA Certificate Expiration:

Is anyone using expressVPN and also getting a warning that their CA certificate is expiring (April 1, 2026)
I have tried importing the new certificate (ExpressVPN CA3) from a newly downloaded ovpn file and using it in my openvpn settings, but I keep getting a TLS error when I try to use it.
I have asked expressVPN and they say that it may be the software on the router that is too old. I am using a CE version 2.8.1.
Can anyone confirm this?

Your software is not too old. You are doing something wrong. Assuming the certificate is correct one, just create a new CA entry for new certificate and select the new instance under your OpenVPN settings.

greven

@nimrod

I have done that too, but when I select it under Peer Certificate Authority and restart the Client Instance I end up with a TLS error.
Here is the log as of now:

2026-03-14 11:35:01.968876+01:00 openvpn 18449 Restart pause, 10 second(s)
2026-03-14 11:35:01.968822+01:00 openvpn 18449 SIGUSR1[soft,tls-error] received, process restarting
2026-03-14 11:35:01.968410+01:00 openvpn 18449 TLS Error: TLS handshake failed
2026-03-14 11:35:01.968390+01:00 openvpn 18449 TLS Error: TLS object -> incoming plaintext read error
2026-03-14 11:35:01.968350+01:00 openvpn 18449 TLS_ERROR: BIO read tls_read_plaintext error
2026-03-14 11:35:01.968328+01:00 openvpn 18449 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2026-03-14 11:35:01.968287+01:00 openvpn 18449 Sent fatal SSL alert: unknown CA
2026-03-14 11:35:01.968219+01:00 openvpn 18449 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-11807-3a, emailAddress=support@expressvpn.com, serial=1032137

nimrod

@greven

Logs clearly show that certificate is incorrect. Are you sure you are pasting new certificate data under correct section in pfsense ? I ask this because i make this mistake every time i renew my certs. I always mix authorities and certificates section under System / Certificates.

Gertjan

@greven said in ExpressVPN CA Certificate Expiration:

Can anyone confirm this?

I'm not using the VPN client to Express right now, but I saw the "April 1 20026" message.

I obtained a new ovpn file (picked randomly a destination : my_expressvpn_netherlands_-_amsterdam_udp.ovpn ) and opened the file to obtain the 'ca' info.
There are 2 ( ! ) certs in the <ca> part, the first one being the one that end at 01/04/2026, so I tried the second one also :
Now I have :

Continue setting up the cert info using the that says "ExpressVPN CA3," ?!

weavers

Yes, older versions of the ExpressVPN app will stop working after March 31, 2026, due to expiring security certificates. You can download the latest app here: https://www.expressvpn.com/latest.

If your device supports the latest app, updating it will restore access and keep your connection secure. If it isn’t supported, you can use a supported device or request further assistance here. To find more details in our blog, "Essential security update: Keep your ExpressVPN app current": https://www.expressvpn.com/blog/update-expressvpn-to-stay-connected/

I migrated to a different manual cert for now, via Tampa, but a new cert will not be issued until after March 31. Hopefully, closer to April 1.

Users encouraged to use GUI app on linux if available and other Aircove / Netgate routers will update soon.

Computers and mobile devices need to update the app itself.

JonathanLee

@greven your not using DCO?

greven

Sorry, but I'm running into the Spam restriction...

I am using the ovpn file from Denmark, and I have imported the last part (CA3) from the file, but when I go in and select the new certificate under Peer Certificate Authority, the TLS error comes up.

What surprises me is that when I import the Client Certificate from the new ovpn file, it's the same as the old one.
I expected there to be "new" since it should be known/trusted by the new CA certificate?
FYI, I'm following this guide:
[https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/](link url)

If I switch back to the old CA it all works except that the CA is about to expire.

I just tried Proton, And it's working, so I'm switching.
I appreciate the help.

jbolivar0007

Ok, had the same issue on my side.

Putting it here for LLM consumption/ or any other people facing this.

It seems CA is expiring on April 1st, and clients are already breaking.

I checked the official Docs on it. Seems no announcement/no email. Nothing.

Seems now they are serving the two CAs in the bundle.

Need to copy the second CA called ExpressVPN CA3.

Just the second CA Key.

To ExpressVPN. Not cool at all. paying customers need communication on this. At least, blog post/ an email or something to give a heads up. Guess in a couple of days many manual clients will break.

nimrod

@jbolivar0007 said in ExpressVPN CA Certificate Expiration:

To ExpressVPN. Not cool at all. paying customers need communication on this. At least, blog post/ an email or something to give a heads up. Guess in a couple of days many manual clients will break.

They dont care.

tuplas

Been getting the same warning for a few days now, and the new CA3 wasn't working.
Just tried again with the new CA3 and it's working now. ExpressVPN must have done something on their end to fix it.

otta

@tuplas - I found out last night about the tls errors as both tunnels died.
Been at it for about 5 hours and still fails with tls errors. Chatted to their support and they kept asking what device I was running the app on.

Tried over and over to explain its not a device, but. An Intel nuc running pfsense. In the end I sent thru a heap of screenshots of the error msgs and cert expiry and they said they'd let the techs know.

For now, still broken.. Might be time to move to another provider..

Gertjan

@otta

? You've read the thread ?
Added to that, you're an pfSense admin, so you've installed the VPN already ones.
What about changing the thing that has a start and end date : the certificate that is the subject of this thread ?

Not to defend ExpressVPN but they support their app, as it is easy to design, set up and control. Your job starts with "install it ones" (on your phone) and from then on you can forget the management part, as it will update automagically.
I'm not sure, but their is no support for all the different routers out there (probably thousands types and versions) that can run the open source (known as self supported !) OpenVPN package.

@otta said in ExpressVPN CA Certificate Expiration:

Might be time to move to another provider..

While picking a knew one, check this out : the situation will be the same. The new one also uses certificates. So ......

otta

@Gertjan thanks for the info.
Yes, have tried CA3, old cert, re imported. All to no avail. Was working up until a day ago. As per title, tls errors.

Sadly, the client won't help as I have multiple devices, wired & wireless vlans and concurrent vpn tunnels

Gertjan

@otta

I didn't have my OpenVPN client created, as I rarely need it.
I do have an Express VPN account.
So, topo chrono : "set up a warking OpenVPN client for Express VPN - can it be done under 5 minutes" ?
I took these guide lines as an example.

First, your Express account this info gives you this :

You'll be needing the Id, password, and a ovpn file, I selected "Paris" (green). - Open this file.

In the ovpn file you find two CAs, I imported both (under Authorities) :

named them "CA ExpressVPN 1" and "ExpressVPN 2".

Under Certificate I imported the certificate :

This certicate has a two section, you find them both in the ovpn file :

Now, the certs are done.

Create an OpenVPN client :

Note : info has been copied from the ovpn file here.

Note : info has been copied from the ovpn file here.
Notably : the TLS-key.

Note : I select the newer "2" cert - so I didn't use the older (soon to be expired) "1" CA.

Note : none - just make identical.

Note : none - just make identical.

Note : I used this, as I removed entries already present in the config (see below).

remote-random;
comp-lzo no;
verify-x509-name Server name-prefix;
key-direction 1;
route-method exe;
route-delay 2;
tun-mtu 1500;
fragment 1450;
mssfix 1450;
sndbuf 524288;
rcvbuf 524288;

Btw : some of these are probably not needed ...

And I saved.

Note : Important : you've just created an ovpn file for the pfSense OpenVPN-Client with the GUI.
I strongly advise you to have a look : here : /var/etc/openvpn/client1/config.ovpn (or here /var/etc/openvpn/client2/config.ovpn)
That's why I removed some of the entries of the custom config, I found identical entries.

And of course - for those who like images :

and the most important part ( for those who like the details ) :
Read from bottom to top :

So strat reading where it says :

OpenVPN 2.6.16 amd64-portbld-freebsd16.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]

That's where the OpenVPN client executable starts. Then go upwards.
Your mission, as an admin :
No ERROR lines.
No or very view WARNING messages.

As soon as you see (first image, at the top) :

then you know the connection is ok.

Remember : your connection is as good as what your ISP (and other operators, up until the Express VPN servers) offer you.

My OpenVPN client is now connected.
Took me 6 minutes because I was disturbed - I have to actually 'do tjhings realted to 'work' ones in while
As I haven’t set up any routing, the connection is totally useless as for now, no traffic goes trough it.
The setup continues with the routing part. But, IMHO, that has nothing to do with "TLS errors".

Btw I did't saw any TLS errors. I don't know what I did good, except reading and copying the now rather old "guide lines" as shown above, not what I did wrong. Typos or syntax errors or 'skipping' or 'forgetting' things is of course not allowed here.

Bonus :
When you see this :

That is the dashboard GUI that connects to the OpenVPN client process, and asks for the status of the connection, so it can show you this image :

edit : a conclusion : I used the new CA certificate and it works just fine. I might as well ditch the old now now.

otta

@Gertjan -
Thank you for your screen shots. I went in and deleted my VPN tunnels and deleted all my Express Certs. Rebooted the system and started from scratch.

I followed my settings and copied some of yours, didn't even copy in the old certificate, only the CA3 version, and now it's back working. Yay !!

Even my logs look a lot cleaner as well.

It would also appear that some of the OVPN files server address haven't been fully updated.
The east-london still fails, but moving to london works fine.

Thanks you so much again.

Ed Dial

@greven I'm on 25.11.1 and I get the same thing.

Ed Dial

@greven I just got off the phone with ExpressVPN tech support (that was a treat). I told them their servers don't trust my new CA3 root cert and the TLS handshake is failing. They told me that they're still undergoing a migration and assured me that it would be ready after March 31st. I told them that at midnight if it's not ready, there's a lot of VPNs that are going to die. They told me rest assured, it will be resolved by then.

otta

@Ed-Dial - 'ain't it a treat - Took me over 10 mins to explain I wasn't using their application. And as soon as they realised, there was a lot of silence and err & umms.

It seems that some of the endpoints have been rolled over to the new CA3, and some simply reject the connection.. I have a feeling come end of March, it's going to be a real sh*t show of errors - unless they prove me wrong. But yeah, at the moment, it's real hit & miss stuff

Ed Dial

@otta You're right. I changed my VPN endpoint to London proper and it came right up with the new CA3 root. Apparently they have a lot of upgrading to do with their servers over the next 4 days. This operation sounds like something my outfit would do.