Skip to main content

Using Let's Encrypt with OpenVPN

Basically follow the instructions to install certbot for ubuntu from Certbot (eff.org)

Note that it uses snap to install certbot, not some bespoke apt repo

There's only 2 things you need to worry about, because snapd is already installed at part of openvpn / ubuntu:

 

Install Certbot

sudo snap install --classic certbot

Create a symbolic link

sudo ln -s /snap/bin/certbot /usr/bin/certbot

This is where we can depart the normal process, and create the lets encrypt certs.

run the following command and follow the prompts

sudo certbot certonly --standalone --preferred-challenges http -d vpnserver.yourdomain.com

Finally install the certificates in the website, using the web interface 

 

Automation

 

I haven't tried this myself, but you should be able to automate this by creating a file with the  following ( remember to chmod it with +x)

#!/bin/bash

certbot renew — standalone

sleep 1m

/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/example.com/privkey.pem" ConfigPut

/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/example.com/fullchain.pem" ConfigPut

/usr/local/openvpn_as/scripts/sacli start

 

and set it up as a chron job to run every 2nd month

ie 

0 0 1 */2 * /usr/local/sbin/letsencryptrenewal.sh

 

Tricks to know 

1) The certbot application makes available a file for pickup by a validation process.  So, you need make sure that port 80 is open for this validation to occur 

2) When you installed openvpn, it's likely the server CN is different to what you want it to be, you need to update it, update it from:

  • Configuration 
  • Network Settings
  • Hostname or IP Address    

 

Comments

Post a Comment

Popular posts from this blog

Changing Password - in AD, when you're changing one of your other accounts, not the logged in account

  Use Powershell  Step 1 - Put your existing password in a Secure String  $oldPassword = Read-Host "Your old Password" -AsSecureString  Step 2 - Start the password change set-AdAccountPassword -Identity paul-admin -OldPassword  $oldPassword Step 3 - Enter your new password You'll be prompted for your new password... Please enter the desired password for 'CN=xxxx,OU=Admin Users,OU=Users,OU=Privileged,DC=CAIS,DC=com,DC=edu,DC=au' Password: ************************** Repeat Password: **************************
Post a Comment
Read more

Tip to create an underline on a heading shorter than the heading itself

You can use a pseudo element with :before (or :after ): h1 { font - weight : 300 ; display : inline - block ; padding - bottom : 5px ; position : relative ; } h1 : before { content : "" ; position : absolute ; width : 50 %; height : 1px ; bottom : 0 ; left : 25 %; border - bottom : 1px solid red ; } http://jsfiddle.net/9e27b/ This is another solution that centers the heading, the problem here is that the underline gets shorter as the column gets shorter. h2 {   display: inline-block;   padding-bottom: 15px;   position: relative;   width: 100% ;   text-align: center; } h2:before{     content: "";     position: absolute;     width: 8%;     height: 1px;     bottom: 0;     left: 46%;     border-bottom: 1px solid red; }
Post a Comment
Read more

The web.config no extension mime problem Lets Encrypt on IIS/Windows

  Tip when using LetsEncrypt in Windows - Feature Requests - Let's Encrypt Community Support In a paragraph, just use the web.config file to set the mime type, eg...  After trying to figure out why my Lets Encrypt failed to generate in Windows, and discovering that it's the no extension mime type problem, I wondered whether certbot could fill in the missing gap. All that is needed is the following web.config file to be placed in the same directory as the challenge <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <staticContent> <mimeMap fileExtension="." mimeType="text/xml" /> </staticContent> </system.webServer> </configuration> Because there's no mime type for files without an extension on IIS, IIS sends back a 404 when verification happens. The web.config file above sets the mime type. After I created the .well-known
1 comment
Read more