Let’s Encrypt HTTPS Certificates for OpenVPN AS (Access Server)

To load a new HTTPS certificate for OpenVPN AS (Access Server), you’ll want to use the ./usr/local/openvpn_as/scripts/confdba command. This can be combined with a Let’s Encrypt client to obtain free a HTTPs certificate for the AS web server.

By default, letsencrypt-auto will save certificate files to the /etc/letsencrypt/live/DOMAIN.TLD directory. Digital Ocean has a nice introduction at https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 for learning how to set up letsencrypt-auto to create and automatically renew certificates.

Once your certificates are ready, you need to load them into the OpenVPN AS web server. There are instructions out there that mention placing files into the /usr/local/openvpn_as/etc/web-ssl/ directory, but I couldn’t get that to work. Instead, I used the instructions at https://docs.openvpn.net/how-to-tutorialsguides/administration/cs-ca_bundle-cs-priv_key-cs-cert/ which explain how to use the ./usr/local/openvpn_as/scripts/confdba command. Other documentation indicate that confdba should be able load certificate files directly,  but I couldn’t get that to work, so I used cat to write out the certificate files into the command line arguments. The final resulting commands are:

/etc/init.d/openvpnas stop

##Let's Encrypt Client Runs Here in standalone mode##

./usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem`"

./usr/local/openvpn_as/scripts/confdba -mk cs.priv_key -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem`" > /dev/null

./usr/local/openvpn_as/scripts/confdba -mk cs.cert -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/cert.pem`"

/etc/init.d/openvpnas start

Note the use of > /dev/null to avoid writing out the private key to any logs.

23 thoughts on “Let’s Encrypt HTTPS Certificates for OpenVPN AS (Access Server)”

  1. I think the reason that simply replacing the files in `/usr/local/openvpn_as/etc/web-ssl/` doesn’t work is because OpenVPN stores its configuration in SQLite databases. I’m no expert when it comes to either OpenVPN or SQLite, but my tests show that the SSL certificates are stored in the SQLite database located here

    /usr/local/openvpn_as/etc/db/config.db

    You can view this by issuing the following commands:

    sudo /usr/local/openvpn_as/scripts/sqlite3 /usr/local/openvpn_as/etc/db/config.db

    This should yield something similar to the following:

    SQLite version 3.7.16.2 2013-04-12 11:52:43
    Enter “.help” for instructions
    Enter SQL statements terminated with a “;”

    Type the following:

    .schema

    This should show the schema of the database. Now type:

    select * from config where name in (‘cs.ca_bundle’,’cs.priv_key’,’cs.cert’);

    This should show all SSL certs for all server profiles. To exit SQLite, simply type

    .quit

    My guess is that confdba updates the SQLite configuration database instead of the configuration files. This may be why replacing the certificates in the web_ssl directory doesn’t work.

    Like

  2. Hey Nicholas,

    Thanks a lot for taking the time to write this. It helped me a lot, kudos!

    I modified your script so you can read the certs directly without the cat. It worked for me.

    /etc/init.d/openvpnas stop
    /usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle –value_file=/etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem > /dev/null 2>&1
    /usr/local/openvpn_as/scripts/confdba -mk cs.priv_key –value_file=/etc/letsencrypt/live/DOMAIN.TLD/privkey.pem > /dev/null 2>&1
    /usr/local/openvpn_as/scripts/confdba -mk cs.cert –value_file=/etc/letsencrypt/live/DOMAIN.TLD/cert.pem > /dev/null 2>&1
    /etc/init.d/openvpnas start

    Like

  3. Thanks for the pointer.Luckily I managed to get confdba to load the certificate files directly:

    $ sudo service openvpnas stop
    $ cd /usr/local/openvpn_as/scripts
    $ sudo ./confdba -mk cs.ca_bundle –value_file=/etc/letsencrypt/live/ovpn.example.me.uk/fullchain.pem
    $ sudo ./confdba -mk cs.priv_key –value_file=/etc/letsencrypt/live/ovpn.example.me.uk/privkey.pem
    $ sudo ./confdba -mk cs.cert –value_file=/etc/letsencrypt/live/ovpn.example.me.uk/cert.pem
    $ sudo service openvpnas start

    $ cat /etc/issue
    OpenVPN Access Server Appliance 2.1.3

    Like

  4. Sadly all the mentioned options do not work anymore on OpenVPN Access Server 2.1.4.

    What works:

    apt-get -y install git bc
    git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
    mkdir /etc/letsencrypt

    What does not work:

    all the mentioned above confdb commands and options, using cat or -value_file.

    They all totally fail.

    I would love an update of this process for the 2.1.4 Access Server

    Like

    1. Hi nsideras,

      I am sorry for not replying earlier. Best wishes for 2017 🙂

      There are no errors unfortunately, but if i use the sudo ./confdba -mk commands on my fully updated openvpn access server (the VMWare image on the openvpn website), the webserver login page for the appliance doesn’t work anymore by then. Seems it kills the certificate/chain/something.

      What does work is transfering the pem files fullchain.pem, cert.pem and privkey.pem files to another location and upload them via the web access server that the open vpn appliance provides.

      Like

  5. —– OpenVPN Access Server 2.1.4 / Ubuntu 16.04 —
    You can also import the ssl certificate and key quite easily using the OpenVPN Access Server Web Admin GUI at https://vpn..com/admin

    *** Here is what I did ****

    —–GET THE LETSENCRYPT CERTIFICATE —-
    root@openvpnas2:# systemctl stop openvpnas

    root@openvpnas2:# letsencrypt certonly

    [make sure port 443 is accessible from internet so that letsencrypt.com can connect to port 443 on your server]

    root@openvpnas2:# systemctl start openvpnas

    –UPLOAD THE SSL CERT TO YOUR LAPTOP AND INSTALL VIA THE OPENVPN ADMIN WEB GUI–

    Upload the folder /etc/letsencrypt/archive/vpn.mydomain.com/ to my laptop using Filezilla .

    In Firefox on my laptop, login to https://vpn.mydomain.com/admin
    ( the OpenVPN AS Admin GUI)

    Goto “Server Network Settings” tab and make sure that hostname = vpn..com

    Goto “Web Server” and upload certificate and key from your laptop to the server:
    Upload :
    CA Bundle = fullchain1.pem
    Certificate = cert1.pem
    Private key = privkey1.pem

    Validate and Save.

    You’re done !

    Like

    1. Have you found any way to automate the renewal process since this will be required every 90 days with Letsencrypt.

      Like

  6. Just download the cert files /etc/letsencrypt/live/ and load them into Configuration>Web Server as:
    fullchain.pem – CA Bundle
    cert.pem – Certificate
    privkey.pem – Private Key
    Validate, then Save if it returns okay.

    Like

  7. I got this working on with OpenVPN Access Server 2.1.9 on Ubuntu 16.04 and I thought I’d help resolve the confdba confusion.

    OpenVPN Access Server reads from /usr/local/openvpn_as/etc/web-ssl/ UNLESS you’ve installed a certificate into the SQLite DB via the web UI or via confdba. The SQLite certificate takes precedence. So the cleanest way to get this working is to remove the SQLite certificate and let it read from /usr/local/openvpn_as/etc/web-ssl/ .

    To remove the SQLite certificates use:

    ./confdba -mk cs.ca_bundle
    ./confdba -mk cs.priv_key
    ./confdba -mk cs.cert

    (… which can be found at the bottom of https://docs.openvpn.net/how-to-tutorialsguides/administration/cs-ca_bundle-cs-priv_key-cs-cert/ … that page also mentions how to back up your original certificates first, if you’d like to do so.)

    Once you’ve removed the stored certificates, AS will respect what’s in …/web-ssl/, so you can symlink your files like so:

    ln -sf /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
    ln -sf /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
    ln -sf /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key

    Then your refresh can be nice and simple. Stop openvpnas, refresh the cert, and start openvpnas. (And if you use certbot, it can take care of the stop/start using its pre-hook and post-hook flags.)

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s