Watchguard SSLVPN and “error=certificate is not yet valid”

If you're having cert problems I feel bad for you son. I got 99 problems, but VPN ain't one.

Recently I upgraded one of my clients to a new Watchguard device, importing and modifying the old config so that I wouldn’t need to rewrite every single rule. A few weeks after installing the new device I heard they were having trouble connecting to SSLVPN. Trying it myself revealed that the VPN client was having trouble with the certs. It was getting a “error=certificate is not yet valid: /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware SSLVPN” error followed by “SSL3_GET_SERVER_CERTIFICATE:certificate verify failed“.

The problem was that when I imported the config it also brought the old certs over. I thought that would only happen when doing a backup and restore of the old device — obviously I was wrong. Watchguard doesn’t provide a direct way to regenerate the self-signed certs that come with the device with the exception of the Web certificate. For that you need to go to Policy Manager > Setup > Authentication > Web Server Certificate, create a new custom cert, then switch it back if you want to. Regenerating the other self-signed certs is easy, but requires a reboot.

All you need to do is delete all of the self-signed certs that say “Not Yet Valid” and reboot the Firebox. Upon reboot the Firebox will automatically regenerate those certs. It was a bit of a desperation move on my part — I had no ideas left and my next step was calling Watchguard anyway. I was able to connect to the VPN with no issues after that. Hopefully this post will help those having the same problem find the solution a lot faster than I did.