Skip to content

Undefined *_common_name --> fail to create Client VPN #126

New issue
New issue
Open
Open
Undefined *_common_name --> fail to create Client VPN#126
Labels
bug🐛 An issue with the system
@bfejervari-nitro

Description

@bfejervari-nitro
bfejervari-nitro
opened on May 10, 2025

Describe the Bug

I tried to use the module without minimal (mainly the required inputs) configuration and got the following error:

* Failed to execute "tofu apply" in ./.terragrunt-cache/rlzfG_8xq-XM7mH3sc0jHKuR6E0/kGAWRK4NH1tKgat2ftMVayOrG3A
  ╷
  │ Error: creating EC2 Client VPN Endpoint: operation error EC2: CreateClientVpnEndpoint, https response error StatusCode: 400, RequestID: a7c5eae0-f03a-49f7-97ae-e882f822542a, api error InvalidParameterValue: Certificate arn:aws:acm:eu-central-1:523327511767:certificate/d90babbe-6faf-4778-b6ee-a8d731da5ea9 does not have a domain
  │
  │   with aws_ec2_client_vpn_endpoint.default[0],
  │   on main.tf line 154, in resource "aws_ec2_client_vpn_endpoint" "default":
  │  154: resource "aws_ec2_client_vpn_endpoint" "default" {
  │
  ╵

Investigating the cause of the problem showed that the self signed certificate was created without a domain name. I've attached a screenshot.

Workaround 1
Setting name input to a string can solve the problem.

name      = "testtesttest"

Workaround 2
Setting *_common_name inputs to a domain name like string solved the problem. Setting a simple word (not containing . characters) didn't help.

ca_common_name          = "vpn-ca-cert.vpn.mydomain"
root_common_name        = "vpn-root-cert.vpn.mydomain"
server_common_name      = "vpn-server-cert.vpn.mydomain"

Suggested solution
Please make it clear that one of the following inputs must be defined:

  • name (as this is used e.g. in exporting full_client_configuration, this should be marked as Required)
  • all _common_name certificate fields (using domain-name string)

Expected Behavior

Without setting optional inputs, everything goes well, Client VPN endpoint is created.
Or it's made clear that among the optional inputs, there are some group(s) which are required.

Steps to Reproduce

  • Terragrunt project
  • create VPC
  • create AWS Client VPN endpoint by using following configuration: 
    dependency "vpc" {
  config_path = "${get_terragrunt_dir()}/../vpc"
}

terraform {
  source = "tfr:///cloudposse/ec2-client-vpn/aws?version=1.1.0"
}

inputs = {
  vpc_id                  = dependency.vpc.outputs.vpc_id
  associated_subnets      = dependency.vpc.outputs.private_subnets
  client_cidr             = "10.0.0.0/16"
  logging_enabled         = false
  logging_stream_name     = "client-vpn"
  organization_name       = "test-project"
}

Screenshots

Image

Environment

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug🐛 An issue with the system

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions