Let's encrypt Certificate on OpenVPN 2.9.3

[ioannis]

Hi All,

I am having some difficulties with my OpenVPN server and I would appreciate it if anyone could help me.

I was using OpenVPN version 2.8.8. and now I update it to 2.9.3.
I had installed "Let's Encrypt" certificate which is replaced by OpenVPN default certificate.
Now when I open Web GUI, the browser informs me the the certificate issuer is not trusted.

Fortunately, I have snapshot of OpenVPN 2.8.8, so going back if any information needed is an option.
Could someone help me on how to apply "Let's Encrypt" certificate on OpenVPN 2.9.3?

Thank you in advance,
Ioannis

[openvpn_inc]

Hello ioannis,

You need a script that loads your Let's Encrypt certificates into the Access Server configuration database. These commands should serve as an example:

Code: Select all

/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/blabla.com/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/blabla.com/cert.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/blabla.com/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start

Note that if the certificate is loaded but it doesn't show as trusted, that you need to figure out what you're missing to making that trust complete successfully.

Kind regards,
Johan

[ioannis]

Thank you openvpn_inc,

Running these commands did the trick.
Now I would like to run these commands (and a few more) after certification renewal in order to apply new certificate.
When I first created the certificate, I used;
sudo certbot certonly --post-hook 'sudo service openvpnas start'.........
Now how do I add these commands to post-hook?

[openvpn_inc]

Hello ioannis,

Simply create a bash script file that contains all the necessary commands to load the certificates into Access Server and then reload Access Server with sacli start, just like in the sample code I gave you, and then call that script as post-hook from certbot. Sacli start is by the way enough to reload changed web certificates.

Kind regards,
Johan

[ioannis]

ok!
Thank you very much for your assistance!

[Danran]

Hi All,

I am having some difficulties with my OpenVPN server and I would appreciate it if anyone could help me.

I was using OpenVPN version 2.8.8. and now I update it to 2.9.3.
I had installed "Let's Encrypt" certificate which is replaced by OpenVPN default certificate.
Now when I open Web GUI, the browser informs me the the certificate issuer is not trusted.

Fortunately, I have snapshot of OpenVPN 2.8.8, so going back if any information needed is an option.
Could someone help me on how to apply "Let's Encrypt" certificate on OpenVPN 2.9.3?

Thank you in advance,
Ioannis

As far as I know, Openvpn access server comes installed with self-signed certificates. Which raises the question, HOW DID YOU INSTALL YOUR WEB INTERFACE CERTIFICATES IN THE FIRST PLACE? Very curious why you can't just repeat your initial steps.

[Danran]

ok!
Thank you very much for your assistance!

So others can use this question/answers for reference, would you mind posting the full list of commands and steps you took in order to solve this issue? I am trying to do the exact same thing, but dont even know how to get the initial letsencrypt certificates. So even posting those steps would be of great help! Thanks!

[Danran]

ok!
Thank you very much for your assistance!

Could you take a look at this post (viewtopic.php?f=24&t=32837) and help me fill out the answer by replying about how you solved this issue here in this thread?