How to enable Letsencrypt on your OpenVPN Access Server

vbimport

#1

How to install let’s encrypt certificate on OpenVPN Access Server 2.1.4

Requirement: It’s website should be accessible via the internet via https (port 443)

–STEP 1–

Log in as root on your OpenVPN Access Server console: (either directly or ssh or whatever)
No root? Type sudo and a space before each command you see in the next steps.

–STEP 2–

Make sure your stuff is up to date:

apt-get update
apt-get upgrade

–STEP 3–

Pre-install: (this means you have to do this once time only per server certificate)

apt-get -y install git bc
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
mkdir /etc/letsencrypt

Make this letsencrypt-renew.sh script and put it in $home: (you can use nano as an editor. You do not need to type the ####'s)

##################################################################################
set -eu

/etc/init.d/openvpnas stop

/opt/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/vpn.server.com.ini

/etc/init.d/openvpnas start
##################################################################################

Make this vpnserver.com.ini and put it in /etc/letsencrypt: (you can use nano an an editor. You do not need to type the ###'s)

##################################################################################
rsa-key = 4096
email = webmaster@server.com

domains = vpn.server.com

authenticator = standalone
standalone-supported-challenges = tls-sni-01

agree-tos = True

keep-until-expiring = True
##################################################################################

–Little sudden brainfart faq–

You guessed it! Is your server named freaky.server.tk? Rename all the vpn.server.com things to freaky.server.tk in the above files.

And yes. You can make multiple letsencrypt-renew.sh scripts!
One for freaky.server.tk, awesome.server.tk, one for amazing.server.tk., and so on.

Totally cool! Make lots of certificates via just this one server! Just point all the dns entries to this servers ip.
As long as letsencrypt can access your server via port 443 (https) on the desired domain name, it’s all right.

–End of sudden brainfart faq–

Make sure the script letsencrypt-renew.sh is executable by doing

chmod +x letsencrypt.sh

–STEP 4–

Run the script

./letsencrypt-renew.sh

The first time it runs it will download/install a ton of programs and display a lot of stuff.
Suddenly a nice looking window appears and LetsEncrypt challenges your server…

The letsencrypt server will connect with your https://vpn.server.com via port 443 and automatically
create the pem certificate files in the folder /etc/letsencrypt/live/vpn.server.com

The fullchain.pem is all the certificates in one big file. The cert.pem is the certificate for your site.

The privkey.pem is the private key. This must be kept secret at all times! Never share it with anyone.
You cannot put it into a safe, however - your server still needs to access this file in order for TLS to work.
If people get a hold on your privkey.pem they can decrypt all your traffic. That would suck.

–STEP 5–

Make a copy of the files in /usr/local/openvpn_as/etc/web-ssl/ into a backup directory, just in case:
mkdir /root/keyfiles_bak
cp /usr/local/openvpn_as/etc/web-ssl/* /root/keyfiles_bak

–STEP 6–

Now you need to have those pem files into the OpenVPN Access Server Website.

At the moment i have no clue how to do that via a command line, so you need the website for this.
Note: There are lots of confdb and file cat stuff solutions on the internet. These DO NOT WORK!
THEY WILL DESTROY YOUR SQL DATABASE AND YOUR OPENVPNAS!! Yes, i have tried every cat and file method there is.

You should copy the pem files to some device where you can access them AND access the admin website of your vpn server.
You could use your favorite browser on your laptop to access the website.
You could use a samba/smb share (nas, share, whatever) to put the pem files. As long as that laptop can access them it’s ok.

Example to copy the pem files to a samba share:

sudo apt-get install smbclient This will install a samba client
cd /etc/letsencrypt/live/vpn.server.com
smbclient -L [hostname or ip adress] This will list your shares
smbclient //[hostname or ip adress]/[sharename] This will access your share
put fullchain.pem This will copy fullchain.pem to your share
put cert.pem This will copy cert.pem to your share
put privkey.pem This will copy privkey.pem to your share

–STEP 7–

Open the website via https://vpn.openvpn.com/admin
Login as your root/admin/superuser/whatever to open the WebServer Configuration webpage.
Click on Web Server (under the Configuration tab on the left)

Upload the fullchain.pem in the Select CA Bundle browse button.
Upload the cert.pem in the Select Certificate file browse button.
Upload the privkey.pem in the Select Private Key file browse button.

Click on validate.

If everything is ok, click on save
Click on restart server (on the top of the webpage).

The new key and certificate should now be in use.

–OPTIONAL STEP 8–

You need a pfx file for your Microsoft servers? No problemo. Just convert them pem files to .pfx

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out archive.pfx -name “Name for the certificate”

It will prompt you for a password. Type in a nice super uncrackable password two times. Moments later you have a pfx file called archive.pfx. Send this to your server. Make sure you import the certificate via the IIS manager!

Step 4 and further need to be executed every 90 days. Letsencrypt certificates are only valid for 90 days.

But hey… they’re free! :slight_smile:


#2

Small update:

It’s been almost 90 days since i made my certificates and i got a nice email from the LetsEncrypt servers that the ssl certificates were going to expire.

So to test the procedure once more i just updated my LetsEncrypt certificates. After some automatic updating of the certbot everything went smooth. The above procedure still works perfectly.


#3

2nd small update. Still works like described. :slight_smile:


#4

At the moment i’m testing the setup as descibed right here:


#5

Well, it took a lot of time studying crontab, cronjob and stuff like that, but it seems the automated certbot WORKS! Woohoo!

For some other certificates i needed to make a DNS entry (dns handshake challenge), but after a LOT of disucssion with my domain name registrar i finally succeeded.

If anyone is interested in the cronjobs and the scripts i made i will gladly post them. Just ask. :slight_smile:


#6

Letsencrypt has been evolving a lot. So has my knowledge and research.

Letsencrypt can now issue free wildcard ssl certificates! And so can my OpenVPN appliance.

Screw all of the above postings. Here’s the new superb easy way thanks to CloudFlare and the awesome coder NIelpang.

One time actions:

Just get your openvpn appliance, host it wherever you want, purchase a domain name and point some record (vpn.domain.com or something) to your hosted appliance.

Then get a free account at cloudflare.com and make cloudflare do the dns of your domain name.
Install acme.sh on your appliance

After that use this documentation to get a wildcard certificate for your domain name via the cloudflare api. ALL your subdomains now have a valid SSL certificate.

Then create the symlinks:

sudo ln -s -f /wherever you put .acme.sh folder/.domain/.domain.cer /usr/local/openvpn_as/etc/web-ssl/server.crt

sudo ln -s -f /wherever you put .acme.sh folder/.domain/.domain.key /usr/local/openvpn_as/etc/web-ssl/server.key


Yup. all of them are one time actions. The .acme.sh script already made a cronjob for you!
All is fully automated. All is well. All has ssl certificate.

P.S. : If you want to create a certificate on the root of your domain, you should not use a wildcard certificate, but a normal certificate. *.domain.com is not the same as domain.com


#7

So I was after a simple https cert for my openvpnas server -

not even the certs for user vpns… just a cert for the webserver…
however my server is behind clouldflare
has been running for years on deb 6 “squeeze” appliance I setup years ago from OpenvpnAS

so started to upgrade to get current first was still on 2.1.20 ish I think…

  • Upgrade from Deb 6 x64 to Deb 7
  • Upgrade from Deb 7 to Deb 8
  • Upgrade from Deb 8 to Deb 9
  • verify all still working and operational… interesting VPN still working and web was still running… crazy!
  • update to 2.5.2 version - had to reboot but working again and still running
  • Install LE - but with Cloudflare plugin support vs standard… why?!? because my vpn operates on https://vpn.domain.com:943 instead of 443
    Which means I had to use a DNS Plugin in order to obtain a free cert
    (also can get wildcards - very nice!)
    Here is the commands in Deb 9 that I used to install LE with CF Support from a fairly clean upgrade
    added backports to the sources.list… forgot that link but can google it later.

cobbled from this post about ispconfig

apt-get -t stretch-backports install python3 python3-acme python3-certbot python3-cloudflare python3-certbot-dns-cloudflare python3-mock python3-pkg-resources python3-zope.interface

now it will support DNS validation - this specifically via cloudflare but other plugins are also supported via this method

was able to use first method to get the keys over to right place…

/opt/letsencrypt/letsencrypt-auto certonly -c /etc/letsencrypt/vpn.server.com.ini

/usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle -v "`cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem`"

/usr/local/openvpn_as/scripts/confdba -mk cs.priv_key -v "`cat /etc/letsencrypt/live/$DOMAIN/privkey.pem`" > /dev/null

/usr/local/openvpn_as/scripts/confdba -mk cs.cert -v "`cat /etc/letsencrypt/live/$DOMAIN/cert.pem`"

so from there stop restart server might have worked - but I just went into the webserver management of the AS https://vpn.server.com:943/admin

webserver > clicked validate at the bottom and then saw correct cert was loaded and hit save…

what I don’t have is the right script to get it run correctly on cron and check for updated files via md5 check and script to run the update in the future automatically…


looks close but - really need a more elegant way since I’m already getting the cert and just need to make sure cron is checking and get that set right… then the script should only move new certs and restart services when a new cert is pulled / updated…~check every day for updates possibly -
will have to look at some others…

Reason for using python version is it supports the certbot – plugins and they are available …
standard version doesn’t support plugins … and backports had them which was nice…

Allowing LE over non-standard ports.