The way an invalid certificate fingerprint is saved in the [vpn-secrets] section does not work in some cases. It is unconditionally saved with a key certificate:host:port when the user accepts the invalid certificate. If the address contains square brackets, this will not work well. Besides, tagging the key with the host would be necessary if the same connection would be valid for several hosts, which is currently not the case.
So, I propose to change that behavior to save the fingerprint with a different key, and give the user the chance to accept the fingerprint only for the current connection, to accept it forever, and to delete it from the config file.