How to install let's encrypt certificate on OpenVPN Access Server 2.1.4
Requirement: It's website should be accessible via the internet via https (port 443)
Log in as root on your OpenVPN Access Server console: (either directly or ssh or whatever)
No root? Type sudo and a space before each command you see in the next steps.
Make sure your stuff is up to date:
Pre-install: (this means you have to do this once time only per server certificate)
apt-get -y install git bc
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Make this letsencrypt-renew.sh script and put it in $home: (you can use nano as an editor. You do not need to type the ####'s)
/opt/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/vpn.server.com.ini
Make this vpnserver.com.ini and put it in /etc/letsencrypt: (you can use nano an an editor. You do not need to type the ###'s)
rsa-key = 4096
email = firstname.lastname@example.org
domains = vpn.server.com
authenticator = standalone
standalone-supported-challenges = tls-sni-01
agree-tos = True
keep-until-expiring = True
--Little sudden brainfart faq--
You guessed it! Is your server named freaky.server.tk? Rename all the vpn.server.com things to freaky.server.tk in the above files.
And yes. You can make multiple letsencrypt-renew.sh scripts!
One for freaky.server.tk, awesome.server.tk, one for amazing.server.tk., and so on.
Totally cool! Make lots of certificates via just this one server! Just point all the dns entries to this servers ip.
As long as letsencrypt can access your server via port 443 (https) on the desired domain name, it's all right.
--End of sudden brainfart faq--
Make sure the script letsencrypt-renew.sh is executable by doing
chmod +x letsencrypt.sh
Run the script
The first time it runs it will download/install a ton of programs and display a lot of stuff.
Suddenly a nice looking window appears and LetsEncrypt challenges your server.....
The letsencrypt server will connect with your https://vpn.server.com via port 443 and automatically
create the pem certificate files in the folder /etc/letsencrypt/live/vpn.server.com
The fullchain.pem is all the certificates in one big file. The cert.pem is the certificate for your site.
The privkey.pem is the private key. This must be kept secret at all times! Never share it with anyone.
You cannot put it into a safe, however - your server still needs to access this file in order for TLS to work.
If people get a hold on your privkey.pem they can decrypt all your traffic. That would suck.
Make a copy of the files in /usr/local/openvpn_as/etc/web-ssl/ into a backup directory, just in case:
cp /usr/local/openvpn_as/etc/web-ssl/* /root/keyfiles_bak
Now you need to have those pem files into the OpenVPN Access Server Website.
At the moment i have no clue how to do that via a command line, so you need the website for this.
Note: There are lots of confdb and file cat stuff solutions on the internet. These DO NOT WORK!
THEY WILL DESTROY YOUR SQL DATABASE AND YOUR OPENVPNAS!! Yes, i have tried every cat and file method there is.
You should copy the pem files to some device where you can access them AND access the admin website of your vpn server.
You could use your favorite browser on your laptop to access the website.
You could use a samba/smb share (nas, share, whatever) to put the pem files. As long as that laptop can access them it's ok.
Example to copy the pem files to a samba share:
sudo apt-get install smbclient This will install a samba client
smbclient -L [hostname or ip adress] This will list your shares
smbclient //[hostname or ip adress]/[sharename] This will access your share
put fullchain.pem This will copy fullchain.pem to your share
put cert.pem This will copy cert.pem to your share
put privkey.pem This will copy privkey.pem to your share
Open the website via https://vpn.openvpn.com/admin
Login as your root/admin/superuser/whatever to open the WebServer Configuration webpage.
Click on Web Server (under the Configuration tab on the left)
Upload the fullchain.pem in the Select CA Bundle browse button.
Upload the cert.pem in the Select Certificate file browse button.
Upload the privkey.pem in the Select Private Key file browse button.
Click on validate.
If everything is ok, click on save
Click on restart server (on the top of the webpage).
The new key and certificate should now be in use.
--OPTIONAL STEP 8--
You need a pfx file for your Microsoft servers? No problemo. Just convert them pem files to .pfx
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out archive.pfx -name "Name for the certificate"
It will prompt you for a password. Type in a nice super uncrackable password two times. Moments later you have a pfx file called archive.pfx. Send this to your server. Make sure you import the certificate via the IIS manager!
Step 4 and further need to be executed every 90 days. Letsencrypt certificates are only valid for 90 days.
But hey.. they're free!