Any ideas to successfully connect to an AWS Client VPN endpoint? Getting certificate verify failed

funkdr42 · March 7, 2025, 10:17pm

I have setup a Client VPN, using steps described in Create a Client VPN Endpoint.

For the server certificate, I picked a public certificate that was newly created and verified by AWS Certificate Manager.

I configured the authentication method to be Use Active Directory authentication with a Directory ID that corresponds to an AWS SimpleAD directory.

I left the Transport Protocol set to UDP.

When I download the client configuration and try connecting via Tunnelblick (v3.7.8) on OSX, I get the following error:

VERIFY ERROR: depth=3, error=unable to get issuer certificate: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Any ideas what is not configured correctly or what I could do to resolve this?

meanieotter · March 7, 2025, 10:17pm

I have support and opened a case with them. They told me to replace the last cert in the .opvn file with the following root cert. It works. Don’t forget to create add the random host name to the cevpn.etc… name :

-----BEGIN CERTIFICATE-----

MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx

EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT

HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVs

ZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5

MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD

VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy

ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2Vy

dmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI

hvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20p

OsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm2

8xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1K

Ts9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufe

hRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk

6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAw

DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+q

AdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMI

bw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/heyNXB

ve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1z

qwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd

iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn

0q23KXB56jzaYyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCN

sSi6

-----END CERTIFICATE-----

suprandr · March 7, 2025, 10:17pm

I have issues with the local issuer:

VERIFY ERROR: depth=3, error=unable to get local issuer certificate: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2

OpenSSL: error:14090086:SSL routines:ssl3\_get\_server\_certificate:certificate verify failed

TLS\_ERROR: BIO read tls\_read\_plaintext error

TLS Error: TLS object -> incoming plaintext read error

TLS Error: TLS handshake failed

Ideas anyone?

godofpumpkins · March 7, 2025, 10:17pm

Yup, I had this happen too. I think it might be a bug in ACM but some certificates it generates, if you ask for the full chain via API it’ll include the wrong root certificate. I think the client VPN takes that output at face value and drops it into the .ovpn file which now contains an invalid chain. To fix, simply find the correct root for the certificate you chose and replace the one in the .ovpn file with it. Kind of a pain but it worked after that. I’ve been trying to report the bug to them but they’ve been fairly unresponsive

gergnz · March 7, 2025, 10:17pm

The certificate must be generated by you and uploaded to ACM. The ca is part of the client trust/auth. Check out my blog post, it may help: Taking the AWS Client VPN for a spin | Performance Magic

rearendcrag · March 7, 2025, 10:17pm

We’ve had this issue after updating the certificates in ACM, updating the endpoint and trying to connect. The only way we managed to get around it, is to delete the stack and start again. Something doesn’t get updated correctly, even though the update call succeeds.

This is the process we used: https://github.com/ab77/cfn-generic-custom-resource/blob/master/README.md#clientvpn-demo

DevAWPs · March 7, 2025, 10:17pm

This solution worked for me, thank you.

gdraper99 · March 7, 2025, 10:17pm

This works… curious as to why i need to do this. but ok. Thanks for providing this.

sri_goud · March 7, 2025, 10:17pm

cheers , worked for me like a magic.

snypo · March 7, 2025, 10:17pm

Thanks for tip! Huge save.

johnwilkonsons · March 7, 2025, 10:17pm

Long shot but I’m having the same issue. Any idea how you solved this?

funkdr42 · March 7, 2025, 10:17pm

This worked for me, too. I replaced the middle “BEGIN CERTIFICATE” section with the root ca part of the certificate from the website in chrome. Thanks for the advice!

Seems like there are some other issues now, but I’m making slow progress

funkdr42 · March 7, 2025, 10:17pm

Hrmm, I tried importing a cert, but I wasn’t able to select it when creating the endpoint. I’ll try again today and see if it works.

The blog post looks really nice, thanks for sharing that!

reddwarf666 · March 7, 2025, 10:17pm

Hi. Just wanted to thank you for the blog post, really nice writeup and gives me some hints for mutual authentication where I am struggling with. So, thanks!