AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I replace the Client VPN endpoint certificates to resolve a TLS handshake error?
AWS Client VPN shows a TLS handshake error. I want to check the expired endpoint certificates and then replace them.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
When the VPN Client endpoint certificates expire, the secure TLS session doesn't agree with the endpoint, and the client can't establish a connection. Client VPN then shows a TLS handshake error.
Identify the expired endpoint certificates
Open the AWS Certificate Manager (ACM) console. Review the current certificates and note the IDs of all expired certificates that the Client VPN endpoint uses.
Recreate the new certificates
If you have access to your current public key infrastructure (PKI) environment, then renew your existing server certificate for Client VPN. Your PKI environment must include your certificate authority, server certificates, and client certificates.
If you don't have access to your pre-existing PKI environment, then recreate the certificates to create a new certificate authority. File types that end in .crt contain the certificate body, key files contain the certificate private key, and ca.crt files contain the certificate chain.
To recreate the certificates, see Activate mutual authentication for AWS Client VPN. Then, run the following import-certificate AWS CLI command to reimport the certificates that you recreate:
aws acm import-certificate \ --certificate fileb://server.crt \ --private-key fileb://server.key \ --certificate-chain fileb://ca.crt \ --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901
When you update certificates that Client VPN uses, the service automatically updates the Client VPN endpoint with the new certificate. This process can take up to 24 hours.
To apply the update immediately, disassociate the target networks from the Client VPN endpoint and then reassociate the target networks. When you disassociate the target network, you remove all manually added routes from the endpoint's route table.
Note: When you disassociate and then reassociate target networks, Client VPN access is unavailable for several minutes.
After you reassociate the target networks, be sure to recreate the Client VPN endpoint route.
Download the new Client VPN endpoint configuration file
To download the new Client VPN endpoint configuration file, complete the following steps.
- Use Amazon Virtual Private Cloud (Amazon VPC) or the AWS CLI to export the AWS Client VPN client configuration file.
- Add the AWS Client VPN client certificate and key information to the .ovpn configuration file that you download.
Related information
- Tags
- AWS Client VPN
- Language
- English
The command on step 6 is not well formatted. This is a fix:
CERT_FOLDER_NAME="your-folder-name"
mkdir ~/$CERT_FOLDER_NAME/
cp pki/ca.crt ~/$CERT_FOLDER_NAME/
cp pki/issued/server.crt ~/$CERT_FOLDER_NAME/
cp pki/private/server.key ~/$CERT_FOLDER_NAME/
cp pki/issued/client1.domain.tld.crt ~/$CERT_FOLDER_NAME
cp pki/private/client1.domain.tld.key ~/$CERT_FOLDER_NAME/
cd ~/$CERT_FOLDER_NAME/
Relevant content
- asked 2 years ago
- asked a year ago
- asked 3 years ago
- asked a month ago
