I had the same error. Digging around the issue logged:
2024-06-05 09:19:38 OpenSSL: error:068000E9:asn1 encoding routines::utctime is too short:
2024-06-05 09:19:38 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revocationDate, Type=X509_REVOKED
2024-06-05 09:19:38 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revoked, Type=X509_CRL_INFO
2024-06-05 09:19:38 OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=crl, Type=X509_CRL
OpenSSL v3.3.x will reject invalid dates in the CRL file, and PIA supplies a CRL with invalid dates; I've attached a screenshot showing the CRL parse, and the likely source.
The obvious long term solution would be to request PIA update their CRL with the expected valid dates.
I removed the "crl-verify" directive/command from my ovpn configuration file, and resolved the error. Everything is up and running.
However, I'm unsure if this is a wise course of action, I'll let others such as @binhex weigh in!