The error message you're seeing indicates OpenSSL cannot verify the certificate chain of your AWS Client VPN endpoint. The key problem is:
VERIFY ERROR: depth=3, error=unable to get issuer certificate: C=US, ST=Arizona,
L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2This typically happens when:
- The client machine doesn't have the intermediate CA certificates in its trust store
- There's a mismatch between the server certificate chain and what the client expects
- The VPN configuration doesn't properly include the full certificate chain
Here's how to properly configure your AWS Client VPN endpoint:
# Example OpenVPN configuration adjustment
client
dev tun
proto udp
remote your-vpn-endpoint.prod.clientvpn.us-west-2.amazonaws.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
# Critical security settings
auth SHA256
cipher AES-256-CBC
# Certificate verification
verify-x509-name "server.name.match" name
# Trusted certificates
<ca>
-----BEGIN CERTIFICATE-----
[Your full certificate chain including intermediates]
-----END CERTIFICATE-----
</ca>If you still face issues, try these alternatives:
- Use AWS Certificate Manager Private CA:
aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:region:account-id:certificate-authority/id \ --csr file://csr.pem \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS"
- Manual Certificate Verification:
openssl s_client -showcerts -connect your-vpn-endpoint:443 \ -CAfile /etc/ssl/certs/ca-certificates.crt
For organizations using SimpleAD or AWS Managed AD:
- Ensure your directory service is properly integrated with ACM
- Verify cross-account permissions if certificates are managed separately
- Consider using AWS CloudHSM for enhanced certificate security
Remember to test with different clients (Tunnelblick, OpenVPN CLI, Viscosity) as behavior may vary.
When setting up an AWS Client VPN endpoint, you might encounter the following OpenSSL error:
VERIFY ERROR: depth=3, error=unable to get issuer certificate: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
This typically occurs when the client cannot verify the complete certificate chain from your server certificate back to a trusted root certificate.
The error suggests that:
- Your client is missing intermediate certificates in the trust chain
- The certificate bundle might not be properly configured in ACM
- The VPN client (Tunnelblick in this case) doesn't have the complete certificate chain
Here's how to properly configure your certificates:
# Example of how to check your certificate chain
openssl s_client -connect your-vpn-endpoint.amazonaws.com:443 -showcerts
For AWS Client VPN, you need to ensure:
- Your ACM certificate includes the full chain (leaf + intermediates)
- The root CA is trusted by the client system
- No missing certificates in the verification path
1. Verify your ACM certificate chain:
aws acm describe-certificate --certificate-arn your-cert-arn
2. Download the Starfield root CA:
curl -O https://certs.secureserver.net/repository/sf-class2-root.crt
3. Update your OpenVPN configuration:
# Add these lines to your client.ovpn file
<ca>
-----BEGIN CERTIFICATE-----
[Paste Starfield root CA content here]
-----END CERTIFICATE-----
</ca>
If the above doesn't work, consider:
- Generating a new certificate with a different CA (like DigiCert)
- Using certificate bundle from AWS Certificate Manager
- Temporarily disabling certificate verification (not recommended for production)
For Tunnelblick specifically:
- Check "Validate certificate" option in Tunnelblick settings
- Ensure you're using the latest OpenVPN version
- Try different cipher settings in your client configuration
Remember that certificate issues can also stem from incorrect time synchronization between client and server, so always verify your system clock.