--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -66,7 +66,9 @@
     cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash);
 
     /* did peer present cert which was signed by our root cert? */
-    if (!preverify_ok)
+    if (!preverify_ok &&
+        X509_STORE_CTX_get_error(ctx) != X509_V_ERR_CERT_NOT_YET_VALID &&
+        X509_STORE_CTX_get_error(ctx) != X509_V_ERR_CERT_HAS_EXPIRED)
     {
         /* get the X509 name */
         char *subject = x509_get_subject(current_cert, &gc);