Troubleshooting AWS Client VPN: Client software returns a TLS error when trying to connect to Client VPN
Problem
I used to be able to connect my clients to the Client VPN successfully, but now the OpenVPN-based client returns one of the following errors when it tries to connect:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Connection failed because of a TLS handshake error. Contact your IT administrator.
Possible cause #1
If you use mutual authentication and you imported a client certificate revocation list, the client certificate revocation list might have expired. During the authentication phase, the Client VPN endpoint checks the client certificate against the client certificate revocation list that you imported. If the client certificate revocation list has expired, you cannot connect to the Client VPN endpoint.
Solution #1
Check the expiry date of your client certificate revocation list by using the OpenSSL tool.
$
openssl crl -inpath_to_crl_pem_file
-noout -nextupdate
The output displays the expiry date and time. If the client certificate revocation list has expired, you must create a new one and import it to the Client VPN endpoint. For more information, see AWS Client VPN client certificate revocation lists.
Possible cause #2
The server certificate being used for the Client VPN endpoint has expired.
Solution #2
Check the status of your server certificate in the AWS Certificate Manager console or by using
the AWS CLI. If the server certificate is expired, create a new certificate and
upload to ACM. For detailed steps to generate the server and client certificates
and keys using the OpenVPN easy-rsa
utility
Alternatively, there might be an issue with the OpenVPN-based software that the client is using to connect to the Client VPN. For more information about troubleshooting OpenVPN-based software, see Troubleshooting Your Client VPN Connection in the AWS Client VPN User Guide.