How do I get notified when the certificate associated to the Client VPN endpoint is about to expire?

Short description

To create a Client VPN endpoint, provision a server certificate in the AWS Certificate Manager (ACM), regardless of the type of authentication you use. The endpoint establishes a secure Transport Layer Security (TLS) using the server certificate between your VPC and the OpenVPN-based client.

This server certificate is valid only for a limited period of time. During the authentication phase, the Client VPN endpoint checks the server certificate against the client certificate revocation list that you imported. If the client certificate revocation list is expired, then you can't connect to the Client VPN endpoint.

Your system logs the following error:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Resolution

Generally, the Client VPN service doesn't notify you that your server certificate is about to expire. However, you can get this information using an Amazon CloudWatch metric called DaysToExpiry that's available under the Certificate Manager namespace. This metric gives you the number of days left before the server certificate for your Client VPN endpoint expires.

Use the Amazon CloudWatch DaysToExpiry metric

The CloudWatch metric DaysToExpiry for the certificate looks like a graph. Over a period of time, the metric keeps reducing until it reaches zero, when the certificate's validity is set to expire. At this time, the certificate associated with the Client VPN endpoint is no longer valid. The TLS handshake between the client and the Client VPN endpoint fails. As a result, the client can't get authenticated on the Client VPN endpoint.

Set a custom alarm for the metric

You can set an alarm on this metric. When the counter reaches a set value, such as "10" for 10 days left for the certificate to expire, it generates an alarm. The alarm lets the administrator know that it's time to update the server certificate and reimport. For more information on Amazon Simple Notification Service (Amazon SNS) topics, see Creating an Amazon SNS topic.

You can create multiple alarms for a single metric. For example, you might choose to set up two additional alarms: five days to certificate expiry and one day to certificate expiry. If the administrator misses the ten-day warning notification, they are still notified by the five-day and the one-day alarms. The administrator updates the list of revoked certificates and generates a new certificate file in the PEM format. Then, the administrator reimports it to the Client VPN endpoint.

Generate a new server certificate

Note: If you receive errors when you run the AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

For Easy RSA Certificate Authorities:

1. Use the following command to generate a new server certificate:

   ./easyrsa build-server-full server nopass

   Note: Replace the name server with the name of the certificate that you want.
2. Then, reimport the server certificate onto the Client VPN endpoint.
3. Or, use the following AWS CLI command to update the CRL on the Client VPN endpoint. Then, reimport the server certificate on the ACM.
   Note: You must have the Amazon Resource Name (ARN) of the server certificate that's about to expire.

   aws acm import-certificate --certificate fileb://Certificate.pem \
   --certificate-chain file://CertificateChain.pem \
   --private-key file://PrivateKey.pem \
   --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901

Related information

Reimporting a certificate