gentle-account-13294
12/17/2020, 12:43 AMeasyrsa
certificates and keys, said that I have to:
• download the VPN config from the Web console
• Modify the config to add path to the cert and key
• https://prasaddomala.com/2020/04/02/aws-client-vpn-setup-private-access-across-aws-accounts-and-vpcs/
So i tried to dump the cert and key generated using..
# one year
VALID_HOURS = 24 * 365
# read teh CA cert obtained from running
# ./easyrsa init-pki && ./easyrsa build-ca nopass
with open("ca_encoded.pem", "r") as ca_crt:
ca_crt_chain = ca_crt.read().replace("\n", " ")
# TODO: check if we can use this instead of using easy rsa
test_vpn_private_key = tls.PrivateKey("test_vpn", algorithm="RSA")
test_vpn_self_signed_cert = tls.SelfSignedCert(
"test_vpnSelfSignedCert",
key_algorithm="RSA",
private_key_pem=test_vpn_private_key.private_key_pem,
subjects=[
tls.SelfSignedCertSubjectArgs(
common_name="<http://test_vpn.com|test_vpn.com>",
organization="Valo Health",
)
],
validity_period_hours=VALID_HOURS,
allowed_uses=[
"key_encipherment",
"digital_signature",
"server_auth",
"dns_names",
"is_ca_certificate",
],
)
cert_test_vpn = aws.acm.Certificate(
"test_vpn",
private_key=test_vpn_private_key.private_key_pem,
certificate_body=test_vpn_self_signed_cert.cert_pem,
certificate_chain=test_vpn_self_signed_cert.cert_pem,
)
but the certificate chain is not what it should be…# store the valo user public key, private key and cert
def write_file(filename: str):
file = filename
def partial_fun(data: str):
with open(f"{file}", "w+") as file_obj:
file_obj.write(data)
return partial_fun
test_vpn_private_key.private_key_pem.apply(func=write_file(filename="test_key_private.pem"))
test_vpn_private_key.public_key_pem.apply(func=write_file(filename="test_key_public.pem"))
test_vpn_self_signed_cert.cert_pem.apply(func=write_file(filename="test_key_cert.pem"))
gentle-diamond-70147
12/17/2020, 11:45 PMbut the certificate chain is not what it should be…
gifted-vase-28337
12/18/2020, 10:19 PMgentle-account-13294
12/22/2020, 7:32 PMpulumi-tls
library. I can see that the pem file that is saved for the test_vpn_self_signed_cert
does not have the certificate chain. Hence I didn’t want to spend time with this approach.
I got VPN to work by:
• use the easy-rsa
github repo
• create the certs
• upload the certs to AWS certificate manager.
• NOTE: @gentle-diamond-70147 this i think has a bug in pulumi (or I’m not using the API correctly)… using the Pulumi API to upload the certs generated by easy-rsa
does not work, gives a validation error. However the same thing works with using AWS CLI aws acm import-certificate
• then configure rest of the VPN with pulumigentle-diamond-70147
12/22/2020, 7:34 PMgentle-account-13294
12/22/2020, 7:35 PMgentle-diamond-70147
12/22/2020, 7:46 PMdnsName
output and couple other properties from the endpoint.gentle-account-13294
12/22/2020, 7:47 PMcvpn-endpoint-123456789123abcde
dns_name
easy-rsa
+ bash