By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ClientVPN Mutual Auth Server Cert missing domain name thus fails to work with ClientVPNEndpoint

0

I'd like to use the Mutual Auth option for Client VPN for a small startup I'm supporting. At this time AD or SAML 2.0 are not something they want to support due to the diverse team and contract task development. They would like to use Mutual Auth to keep it simple and quick. I've tried following the steps on Mutual authentication yet every time I get a Server Cert that doesn't have domain name. When attempting to use this cert in a CloudFormation template I get a deployment error as follows: Certificate arn:aws:acm:us-east-1:123456789012:certificate/abc60e04-42bd-1122-b1af-9c8ba39445cf does not have a domain (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 36ceea5b-9dd0-46c8-9d4b-b2ab92ee90ad; Proxy: null Trying to create the Client VPN Endpoint in the console doesn't even offer the server cert. I tried this a two different AWS accounts and followed the above steps several times and each time I get the same result.t

Another interesting output is if a cert doens't have a domain name the cert will not show up when issue the cli command aws acm list-certificates either.

And yes I tried making a vars file with the domain name but that doesn't work to add a SNA to the cert, it does work to change the expiration of the cert so I did confirm the var file is processed when making the certs.

FWIW: I made this would about 9 months ago and something has changed that I have yet to figure out.

Thanks for the help.

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
Security, Identity, & ComplianceAWS Certificate ManagerAWS Client VPN
Language
English
BeachPilot
asked a month ago247 views
1 Answer
0
Accepted Answer

In step 4 of the instructions, update the hostname server i.e.

./easyrsa build-server-full server nopass

to a FQDN eg

./easyrsa build-server-full server.domain.tld nopass

Then it appears in ACM and VPN Endpoint configuration.. I do believe you can use any domain name you wish. In Step 7, you do not need to import a Client Cert into ACM. Just reference the Server Cert

Any subsequent clients you create, ensure you use the same domain name as in Step 5

I have provided feedback to the Documentation above too. Hopefully it will be adjusted

profile picture
EXPERT
Gary Mclean
answered a month ago
  • BeachPilot
    a month ago

    I swear I tried this before and didn't get a domain name. I updated the script I developed to create the certs and store the values in Parameter store and today the cert has a FQDN. It appears the FQDN is required for the creation of the cert. As to the documentation don't forget to update the script that does the cp commands to use the FQDN instead of server.crt/key.

    Thanks for the help.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content