How do I replace the Client VPN endpoint certificates to resolve a TLS handshake error?

3 minute read
8

AWS Client VPN shows a TLS handshake error. I want to check the endpoint certificates that are expired, and replace them.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When the VPN Client endpoint certificates expire, the secure TLS session doesn't agree with the endpoint and the client can't establish a connection. Client VPN then shows a TLS handshake error.

Identify the endpoint certificates that are expired

Use the AWS Certificate Manager (ACM) console to view your current certificates, and note the IDs of all expired certificates that the Client VPN endpoint uses.

Recreate the new certificates

If you have access to your preexisting public key infrastructure (PKI) environment, then renew your existing certificate. Your PKI environment must include your certificate authority, server certificates, and client certificates.

If you don't have access to your preexisting PKI environment, then recreate the certificates. When you recreate certificates, you create a new certificate authority. File types that end in .crt contain the certificate body, key files contain the certificate private key, and ca.crt files contain the certificate chain.

To recreate the certificates, see Enable mutual authentication for AWS Client VPN. For the final step, run the import-certificate AWS CLI command to reimport the certificates that you recreate:

aws acm import-certificate \  
--certificate fileb://server.crt \  
--private-key fileb://server.key \  
--certificate-chain fileb://ca.crt \  
--certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901

After the VPN client accepts the request, modifications to Client VPN endpoints take up to 4 hours to take effect. To immediately implement the changes, you can disassociate the target networks from Client VPN endpoint and reassociate the target networks again. When you disassociate a target network, every route that you manually added to the Client VPN endpoint's route table are deleted. Be sure to recreate the manually added routes after you reassociate the target networks.

Download the new Client VPN endpoint configuration file

Complete the following steps:

  1. Use the Amazon Virtual Private Cloud (Amazon VPC) console or the AWS CLI to download a new Client VPN endpoint configuration file.
  2. Add the client certificate and the client private key to the .ovpn configuration file that you download.

Related information

Client authentication in AWS Client VPN

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
1 Comment

The command on step 6 is not well formatted. This is a fix:

CERT_FOLDER_NAME="your-folder-name"
mkdir ~/$CERT_FOLDER_NAME/
cp pki/ca.crt ~/$CERT_FOLDER_NAME/
cp pki/issued/server.crt ~/$CERT_FOLDER_NAME/
cp pki/private/server.key ~/$CERT_FOLDER_NAME/
cp pki/issued/client1.domain.tld.crt ~/$CERT_FOLDER_NAME
cp pki/private/client1.domain.tld.key ~/$CERT_FOLDER_NAME/
cd ~/$CERT_FOLDER_NAME/
replied a month ago