Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Client VPN endpoint TLS error when trying to connect

0

I've created my endpoint, and edited my ovpn file with my own private key and crt, and get a TLS error. According to the AWS docs, the cause of this problem might be one of the following: -Firewall rules are blocking UDP or TCP traffic. ===> No client side restriction / SG used on the connection is the VPC default, all traffic allowed -You're using the incorrect client key and certificate in your configuration (.ovpn) file. ===> suspect a problem with my certs -The client certificate revocation list (CRL) has expired. => should not be an issue.

I notice in my ovpn file, the <ca> section that was created by the connection endpoint shows my server certificate public crt contents. However, when I setup my own pki with easy-rsa, the first step creates a CA and CA.crt. The client cert I'm using is created from the same CA, and I used the server cert for both the server and client connections in the endpoint setup.

So thinking about this, I'm not sure how the private user cert is validated against the server cert in the ovpn connection, since it's private. Or is that encoded in my server cert and the client cert matches?

My cert and vpn creation steps:

  • Setup PKI/CA/Server cert

  • ./easyrsa init-pki ==> initialize new pki

  • ./easyrsa build-ca ===> creates private ca.key

  • ./easyrsa build-server-full server_name

  • ==> import the "server_name" crt (starting with ---- begin certificate) and the private key into ACM

  • Finish the setup of the endpoint VPN with that ACM cert and all the other steps for endpoint creation.

  • Generate the client cert from the same CA:

  • ./easyrsa build-client-full client_name

  • ===> import the "client_name" crt (starting with ---- begin certificate) and the private key into my OVPN file

  • Connect: TLS error.

Oct 16 5:12:44 PM: TLS Error: TLS handshake failed
Oct 16 5:12:44 PM: SIGUSR1[soft,tls-error] received, process restarting
Oct 16 5:12:54 PM: Valid existing endpoint found... 9.9.9.9:443:udp  
Oct 16 5:12:55 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]8.8.8.8:443
Oct 16 5:12:55 PM: Socket Buffers: R=[65536->65536] S=[65536->65536]
Oct 16 5:12:55 PM: UDPv4 link local: (not bound)
Oct 16 5:12:55 PM: UDPv4 link remote: [AF_INET]47.130.9.180:443
Oct 16 5:13:55 PM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Am I doing something wrong? Do I need to include the entire .crt file instead of after the "-----BEGIN CERTIFICATE"? (I've tried both, same issue) How does it validate against a private CA server?

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Client VPNAWS Certificate Manager
Language
English
asked a year ago748 views
1 Answer
0

Based on the information provided, it seems the issue might indeed be related to your certificates. Here are a few points to consider:

  1. Certificate Chain: When using a private CA, it's crucial to include the entire certificate chain in your configuration. This means you should include the CA certificate, the server certificate, and the client certificate in the appropriate sections of your .ovpn file.

  2. Certificate Format: Ensure you're using the correct format for your certificates. The entire certificate, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines, should be included.

  3. Server Certificate in OVPN: The <ca> section in your .ovpn file should contain the CA certificate, not the server certificate. The server certificate is used by the Client VPN endpoint itself.

  4. Client Certificate and Key: Make sure you're using the correct client certificate and private key in your .ovpn file. These should be in the <cert> and <key> sections respectively.

  5. Certificate Validation: The client certificate is validated against the CA certificate, not directly against the server certificate. The server certificate is also validated against the same CA certificate. This is how the trust chain is established.

  6. ACM Import: When importing certificates to ACM, ensure you're importing the entire certificate chain for the server certificate.

To troubleshoot:

  1. Double-check that your CA certificate is correctly placed in the <ca> section of the .ovpn file.
  2. Verify that your client certificate and private key are correctly placed in the <cert> and <key> sections.
  3. Ensure all certificates include the full content, including the BEGIN and END lines.
  4. Verify that the client certificate was indeed signed by the same CA as the server certificate.
  5. Check the expiration dates of all certificates to ensure they are still valid.

If the issue persists after verifying these points, you may want to regenerate your certificates and reimport them to ACM, ensuring you follow each step carefully. Also, consider using OpenSSL commands to verify the certificate chain and ensure all parts are correct and compatible.
Sources
Troubleshooting AWS Client VPN: Client software returns a TLS error when trying to connect to Client VPN - AWS Client VPN
AWS Client VPN endpoint configuration file export - AWS Client VPN
Troubleshooting common AWS Client VPN problems - AWS Client VPN

answered a year ago
EXPERT
reviewed a year ago
  • Jason
    a year ago

    I've reimported my certificate, with the server cert in the certificate body section, and the ca cert in the chain section, and re-exported the ovpn file and now it shows the CA cert, and I've added my client crt and key, but while getting further, it's slightly different error now:

    Oct 16 9:24:35 PM: State changed to Authenticating
Oct 16 9:24:35 PM: TLS: Initial packet from [AF_INET]4yyyy.180:443, sid=852338cc 7a2f051c
Oct 16 9:24:35 PM: VERIFY OK: depth=1, CN=Easy-RSA CA
Oct 16 9:24:35 PM: VERIFY KU OK
Oct 16 9:24:35 PM: Validating certificate extended key usage
Oct 16 9:24:35 PM: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 16 9:24:35 PM: VERIFY EKU OK
Oct 16 9:24:35 PM: VERIFY X509NAME OK: CN=yyyyyy-vpn
Oct 16 9:24:35 PM: VERIFY OK: depth=0, CN=yyyyyyy-vpn
Oct 16 9:24:36 PM: Virtual Adapter Version: 0.7.2.1017
Oct 16 9:25:36 PM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 16 9:25:36 PM: TLS Error: TLS handshake failed

    I've also verified my certs are trusted by the ca: $openssl verify -CAfile ../ca.crt yyyyyy-vpn.crt yyyyyyy-vpn.crt: OK $openssl verify -CAfile ../ca.crt vpn-user.crt vpn-user.crt: OK

    Any idea what I'm doing wrong?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content