Lets Encrypt OpenVPN AS

I've got an OpenVPN AS running and I am trying to setup SSL certs (running ubuntu) from letsencrypt.

I've managed to get my certificates from letsencrypt (using letsencrypt standalone) and I was hoping to make a symlink to the certificates in the OpenVPN ssl configuration. However when I looked in /usr/local/openvpn_as/etc/web-ssl it varies from that is in my /live/domain/cert.pem etc...

Does anyone know how I can get my openvpn as instance serving letsencrypt certificates?

EDIT: ls -l of directories

openvpnas@openvpnas2:/usr/local/openvpn_as/etc/web-ssl$ ls -l
total 16
-rw-r--r-- 1 root root 1111 Mar 10 13:30 ca.crt
-rw------- 1 root root 1708 Mar 10 13:30 ca.key
-rw-r--r-- 1 root root 1078 Mar 10 13:30 server.crt
-rw------- 1 root root 1704 Mar 10 13:30 server.key



root@openvpnas2:/etc/letsencrypt/live/my.domain# ls -l
total 0
lrwxrwxrwx 1 root root 37 Mar 10 19:03 cert.pem -> ../../archive    /my.domain/cert1.pem
lrwxrwxrwx 1 root root 38 Mar 10 19:03 chain.pem -> ../../archive/my.domain/chain1.pem
lrwxrwxrwx 1 root root 42 Mar 10 19:03 fullchain.pem -> ../../archive/my.domain/fullchain1.pem
lrwxrwxrwx 1 root root 40 Mar 10 19:03 privkey.pem -> ../../archive/domain/privkey1.pem

Solution 1:

In order to use letsencrypt certificates on the openvpnas you need to have the following symlinks:

/usr/local/openvpn_as/etc/web-ssl/ca.crt -> /etc/letsencrypt/live/my.domain/fullchain.pem
/usr/local/openvpn_as/etc/web-ssl/server.crt -> /etc/letsencrypt/live/my.domain/cert.pem
/usr/local/openvpn_as/etc/web-ssl/server.key -> /etc/letsencrypt/live/my.domain/privkey.pem

Solution 2:

Tried using Ben Flowers's answer (symlinking the PEM files in the OpenVPN config folder to the Let's Encrypt certificates) without luck, until I saw this in the OpenVPN documentation:

. . . if you have a self-signed certificate, or any certificate, stored in the configuration database, then the files in the web-ssl directory are ignored.

This can happen if you manually uploaded a certificate from the web UI. I deleted the manually uploaded certificates using the steps below (found on the same documentation page), and the Let's Encrypt certificates became active.

cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.priv_key" ConfigDel
./sacli --key "cs.ca_bundle" ConfigDel
./sacli --key "cs.cert" ConfigDel
./sacli start

Solution 3:

Please do not use a public CA for OpenVPN. There is no need to trust an external party with your VPN network traffic.

Just create your own CA, with e.g. easy-rsa.

Solution 4:

I just found this great script that makes it completely painless.

Running this script in crontab will keep you renewed for ever.

https://gist.github.com/mkubenka/109d853cee9556fa37cbc55958a2c3d5