Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS ALB mTLS Failed:ClientCertExpired error with valid certs

0

Hi, I've got the following error in the ALB logs when I'm using ALB with mTLS and enabled the "Do not allow expired client certificates" option.

Error message: "Failed:ClientCertExpired"

Even though the certificate's expiration dates are looking good as it also shown in the logs: "NotBefore=2024-08-15T11:48:38Z;NotAfter=2025-08-15T11:48:38Z"

What could be the root cause and the resolution?

Thanks for your help in advance!

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
Elastic Load BalancingSecurity, Identity, & Compliance
Language
English
asked a year ago205 views
1 Answer
0

The "Failed:ClientCertExpired" error you're encountering with your AWS Application Load Balancer (ALB) using mTLS is puzzling, given that the certificate's validity dates appear to be correct. However, there are a few potential causes and solutions to consider:

  1. Time synchronization: Ensure that the time on your client system and the ALB are properly synchronized. Even if the certificate appears valid, a time discrepancy could cause the ALB to interpret the certificate as expired.

  2. Certificate chain issues: The error might be related to an expired certificate in the chain, not just the leaf certificate. Verify that all certificates in the chain, including any intermediate certificates, are valid and not expired.

  3. Trust store configuration: Double-check that your trust store is correctly configured and contains the most up-to-date CA certificate bundle. An outdated trust store could lead to misinterpretation of certificate validity.

  4. Certificate Revocation List (CRL): If you're using a CRL, ensure it's up-to-date and not expired. An expired CRL could potentially cause issues with certificate validation.

  5. ALB configuration: Review your ALB configuration to ensure that the "Do not allow expired client certificates" option is correctly set and that there are no conflicting settings.

To troubleshoot and resolve this issue:

  1. Verify the entire certificate chain using OpenSSL or a similar tool to ensure all certificates are valid.

  2. Check the ALB connection logs for any additional information about the error.

  3. Temporarily disable the "Do not allow expired client certificates" option to see if it resolves the issue. If it does, this might indicate a problem with how the ALB is interpreting the certificate's validity.

  4. Re-issue the client certificate using the CA certificate bundle referenced by the EC2 trust store to ensure complete compatibility.

  5. If the issue persists, you may need to contact AWS Support for further investigation, providing them with the client certificate, connection logs, and any relevant configuration details.

Remember to always use the most up-to-date CA certificate bundle and ensure that your certificates meet all the requirements specified by AWS for use with ALB mTLS.

Sources
Resolve mTLS client connection issues | AWS re:Post
Introducing mTLS for Application Load Balancer | Networking & Content Delivery
Troubleshooting common AWS Client VPN problems - AWS Client VPN

answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content