Why do I see a "certificate not found" error when I provision my client-to-site VPN?
The vpn_server_certificate_not_found error occurs due to missing service‑to‑service authorization, even though the certificate exists or an incorrect certificate CRN provided during provisioning.
When you create a client‑to‑site VPN server by using API, CLI, or Terraform, the VPN creation fails and returns the following error:
"code": "vpn_server_certificate_not_found",
"message": "The certificate could not be found. Please try again with a correct certificate CRN."
This issue occurs when the VPN service requires explicit authorization to read certificates from Secrets Manager. If this authorization is missing, Secrets Manager blocks access, and the VPN service reports the certificate as not found. Similarly, if an invalid or incorrect certificate CRN is specified, the VPN service cannot locate the certificate and returns the same error.
Follow these steps to resolve the issue:
- Verify that the certificate CRN is correct and that the certificate exists in IBM Cloud Secrets Manager.
- From your browser, open the IBM Cloud console and log in to your account.
- Create an IAM service-to-service authorization. For more information, see Creating an IAM service-to-service authorization.
- After you create the authorization, the VPN service can access the certificate in Secrets Manager, and the VPN provisioning completes successfully.