8

I've got an OpenVPN AS running and I am trying to setup SSL certs (running ubuntu) from letsencrypt.

I've managed to get my certificates from letsencrypt (using letsencrypt standalone) and I was hoping to make a symlink to the certificates in the OpenVPN ssl configuration. However when I looked in /usr/local/openvpn_as/etc/web-ssl it varies from that is in my /live/domain/cert.pem etc...

Does anyone know how I can get my openvpn as instance serving letsencrypt certificates?

EDIT: ls -l of directories

openvpnas@openvpnas2:/usr/local/openvpn_as/etc/web-ssl$ ls -l
total 16
-rw-r--r-- 1 root root 1111 Mar 10 13:30 ca.crt
-rw------- 1 root root 1708 Mar 10 13:30 ca.key
-rw-r--r-- 1 root root 1078 Mar 10 13:30 server.crt
-rw------- 1 root root 1704 Mar 10 13:30 server.key



root@openvpnas2:/etc/letsencrypt/live/my.domain# ls -l
total 0
lrwxrwxrwx 1 root root 37 Mar 10 19:03 cert.pem -> ../../archive    /my.domain/cert1.pem
lrwxrwxrwx 1 root root 38 Mar 10 19:03 chain.pem -> ../../archive/my.domain/chain1.pem
lrwxrwxrwx 1 root root 42 Mar 10 19:03 fullchain.pem -> ../../archive/my.domain/fullchain1.pem
lrwxrwxrwx 1 root root 40 Mar 10 19:03 privkey.pem -> ../../archive/domain/privkey1.pem
Ben Flowers
  • 301
  • 1
  • 2
  • 9
  • I've no idea what the difference between your two directories is (perhaps you should paste the contents of an `ls -l` for both of the directories), but you probably just want to symlink the certificates themselves, not the entire directory. – Mark Henderson Mar 10 '16 at 22:09

4 Answers4

12

In order to use letsencrypt certificates on the openvpnas you need to have the following symlinks:

/usr/local/openvpn_as/etc/web-ssl/ca.crt -> /etc/letsencrypt/live/my.domain/fullchain.pem
/usr/local/openvpn_as/etc/web-ssl/server.crt -> /etc/letsencrypt/live/my.domain/cert.pem
/usr/local/openvpn_as/etc/web-ssl/server.key -> /etc/letsencrypt/live/my.domain/privkey.pem
030
  • 5,901
  • 13
  • 68
  • 110
Ben Flowers
  • 301
  • 1
  • 2
  • 9
5

Tried using Ben Flowers's answer (symlinking the PEM files in the OpenVPN config folder to the Let's Encrypt certificates) without luck, until I saw this in the OpenVPN documentation:

. . . if you have a self-signed certificate, or any certificate, stored in the configuration database, then the files in the web-ssl directory are ignored.

This can happen if you manually uploaded a certificate from the web UI. I deleted the manually uploaded certificates using the steps below (found on the same documentation page), and the Let's Encrypt certificates became active.

cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.priv_key" ConfigDel
./sacli --key "cs.ca_bundle" ConfigDel
./sacli --key "cs.cert" ConfigDel
./sacli start
EK0
  • 235
  • 2
  • 8
4

Please do not use a public CA for OpenVPN. There is no need to trust an external party with your VPN network traffic.

Just create your own CA, with e.g. easy-rsa.

030
  • 5,901
  • 13
  • 68
  • 110
Steffan Karger
  • 514
  • 2
  • 3
  • Plus, with a 90-day-lifetime, you'd be switching client certificates all the time. Automate that! – Hank Nov 15 '16 at 08:14
  • 1
    I'm not really familiar with *OpenVPN AS* specifically, but the paths in the question containing `web-ssl` makes me think this is not about the server and client certs for openvpn itself. – Håkan Lindqvist Dec 03 '16 at 12:11
  • 8
    How does using a public CA constitute "trusting an external party with your VPN network traffic"? They just sign the certificate. – Sven Slootweg Jul 10 '17 at 14:29
  • 6
    Also, it seems there is confusion between VPN network traffic and OpenVPN Access Server. Don't we want to have a public CA signed certificate protect OpenVPN Access Server? This is standard web traffic and should be encrypted. – Peter P. Jan 24 '19 at 21:41
1

I just found this great script that makes it completely painless.

Running this script in crontab will keep you renewed for ever.

https://gist.github.com/mkubenka/109d853cee9556fa37cbc55958a2c3d5

Adam Czyrek
  • 21
  • 1
  • 1
    in case that gist goes away, the original source is https://www.sideras.net/lets-encrypt-https-certificates-for-openvpn-as-access-server/ – hsmiths Dec 04 '16 at 19:52