To load a new HTTPS certificate for OpenVPN AS (Access Server), you’ll want to use the ./usr/local/openvpn_as/scripts/confdba command. This can be combined with a Let’s Encrypt client to obtain free a HTTPs certificate for the AS web server.
By default, letsencrypt-auto will save certificate files to the /etc/letsencrypt/live/DOMAIN.TLD directory. Digital Ocean has a nice introduction at https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 for learning how to set up letsencrypt-auto to create and automatically renew certificates.
Once your certificates are ready, you need to load them into the OpenVPN AS web server. There are instructions out there that mention placing files into the /usr/local/openvpn_as/etc/web-ssl/ directory, but I couldn’t get that to work. Instead, I used the instructions at https://docs.openvpn.net/how-to-tutorialsguides/administration/cs-ca_bundle-cs-priv_key-cs-cert/ which explain how to use the ./usr/local/openvpn_as/scripts/confdba command. Other documentation indicate that confdba should be able load certificate files directly, but I couldn’t get that to work, so I used cat to write out the certificate files into the command line arguments. The final resulting commands are:
/etc/init.d/openvpnas stop
##Let's Encrypt Client Runs Here in standalone mode##
./usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem`"
./usr/local/openvpn_as/scripts/confdba -mk cs.priv_key -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem`" > /dev/null
./usr/local/openvpn_as/scripts/confdba -mk cs.cert -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/cert.pem`"
/etc/init.d/openvpnas start
Note the use of > /dev/null to avoid writing out the private key to any logs.
Nicholas Sideras 
Thanks, great it works!
LikeLike
Dude! Nice way of mating Let’s Encrypt with OpenVPN AS! Thanks for making this knowledge public!
LikeLike
This was a big help! Thanks!
LikeLike
Thank you!
LikeLike
I think the reason that simply replacing the files in `/usr/local/openvpn_as/etc/web-ssl/` doesn’t work is because OpenVPN stores its configuration in SQLite databases. I’m no expert when it comes to either OpenVPN or SQLite, but my tests show that the SSL certificates are stored in the SQLite database located here
/usr/local/openvpn_as/etc/db/config.db
You can view this by issuing the following commands:
sudo /usr/local/openvpn_as/scripts/sqlite3 /usr/local/openvpn_as/etc/db/config.db
This should yield something similar to the following:
SQLite version 3.7.16.2 2013-04-12 11:52:43
Enter “.help” for instructions
Enter SQL statements terminated with a “;”
Type the following:
.schema
This should show the schema of the database. Now type:
select * from config where name in (‘cs.ca_bundle’,’cs.priv_key’,’cs.cert’);
This should show all SSL certs for all server profiles. To exit SQLite, simply type
.quit
My guess is that confdba updates the SQLite configuration database instead of the configuration files. This may be why replacing the certificates in the web_ssl directory doesn’t work.
LikeLike
Hey Nicholas,
Thanks a lot for taking the time to write this. It helped me a lot, kudos!
I modified your script so you can read the certs directly without the cat. It worked for me.
/etc/init.d/openvpnas stop
/usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle –value_file=/etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem > /dev/null 2>&1
/usr/local/openvpn_as/scripts/confdba -mk cs.priv_key –value_file=/etc/letsencrypt/live/DOMAIN.TLD/privkey.pem > /dev/null 2>&1
/usr/local/openvpn_as/scripts/confdba -mk cs.cert –value_file=/etc/letsencrypt/live/DOMAIN.TLD/cert.pem > /dev/null 2>&1
/etc/init.d/openvpnas start
LikeLike
Thanks for the pointer.Luckily I managed to get confdba to load the certificate files directly:
$ sudo service openvpnas stop
$ cd /usr/local/openvpn_as/scripts
$ sudo ./confdba -mk cs.ca_bundle –value_file=/etc/letsencrypt/live/ovpn.example.me.uk/fullchain.pem
$ sudo ./confdba -mk cs.priv_key –value_file=/etc/letsencrypt/live/ovpn.example.me.uk/privkey.pem
$ sudo ./confdba -mk cs.cert –value_file=/etc/letsencrypt/live/ovpn.example.me.uk/cert.pem
$ sudo service openvpnas start
$ cat /etc/issue
OpenVPN Access Server Appliance 2.1.3
LikeLike
Sadly all the mentioned options do not work anymore on OpenVPN Access Server 2.1.4.
What works:
apt-get -y install git bc
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
mkdir /etc/letsencrypt
What does not work:
all the mentioned above confdb commands and options, using cat or -value_file.
They all totally fail.
I would love an update of this process for the 2.1.4 Access Server
LikeLike
Can you give any specifics about what is failing? Are you seeing any errors?
LikeLike
Hi nsideras,
I am sorry for not replying earlier. Best wishes for 2017 🙂
There are no errors unfortunately, but if i use the sudo ./confdba -mk commands on my fully updated openvpn access server (the VMWare image on the openvpn website), the webserver login page for the appliance doesn’t work anymore by then. Seems it kills the certificate/chain/something.
What does work is transfering the pem files fullchain.pem, cert.pem and privkey.pem files to another location and upload them via the web access server that the open vpn appliance provides.
LikeLike
It worked for me with OpenVPN Access Server 2.1.4 under Ubuntu Server 16.04. Thanks!
LikeLike
It worked for me! Just set it up on an Ubuntu 16.04 VPS! Thanks man
LikeLike
Thank you from France !
LikeLike
—– OpenVPN Access Server 2.1.4 / Ubuntu 16.04 —
You can also import the ssl certificate and key quite easily using the OpenVPN Access Server Web Admin GUI at https://vpn..com/admin
*** Here is what I did ****
—–GET THE LETSENCRYPT CERTIFICATE —-
root@openvpnas2:# systemctl stop openvpnas
root@openvpnas2:# letsencrypt certonly
[make sure port 443 is accessible from internet so that letsencrypt.com can connect to port 443 on your server]
root@openvpnas2:# systemctl start openvpnas
–UPLOAD THE SSL CERT TO YOUR LAPTOP AND INSTALL VIA THE OPENVPN ADMIN WEB GUI–
Upload the folder /etc/letsencrypt/archive/vpn.mydomain.com/ to my laptop using Filezilla .
In Firefox on my laptop, login to https://vpn.mydomain.com/admin
( the OpenVPN AS Admin GUI)
Goto “Server Network Settings” tab and make sure that hostname = vpn..com
Goto “Web Server” and upload certificate and key from your laptop to the server:
Upload :
CA Bundle = fullchain1.pem
Certificate = cert1.pem
Private key = privkey1.pem
Validate and Save.
You’re done !
LikeLike
This worked for me! Thanks.
LikeLike
Have you found any way to automate the renewal process since this will be required every 90 days with Letsencrypt.
LikeLike
The commands I list could be called from cron on a 90 day basis.
LikeLike
Thank you for providing this example. I used this information on a blog post and linked back to this article for proper credit, maybe your readers will find it useful: https://asieira.github.io/using-openvpn-access-server-to-access-aws-vpcs.html
LikeLike
Just download the cert files /etc/letsencrypt/live/ and load them into Configuration>Web Server as:
fullchain.pem – CA Bundle
cert.pem – Certificate
privkey.pem – Private Key
Validate, then Save if it returns okay.
LikeLike
I got this working on with OpenVPN Access Server 2.1.9 on Ubuntu 16.04 and I thought I’d help resolve the confdba confusion.
OpenVPN Access Server reads from /usr/local/openvpn_as/etc/web-ssl/ UNLESS you’ve installed a certificate into the SQLite DB via the web UI or via confdba. The SQLite certificate takes precedence. So the cleanest way to get this working is to remove the SQLite certificate and let it read from /usr/local/openvpn_as/etc/web-ssl/ .
To remove the SQLite certificates use:
./confdba -mk cs.ca_bundle
./confdba -mk cs.priv_key
./confdba -mk cs.cert
(… which can be found at the bottom of https://docs.openvpn.net/how-to-tutorialsguides/administration/cs-ca_bundle-cs-priv_key-cs-cert/ … that page also mentions how to back up your original certificates first, if you’d like to do so.)
Once you’ve removed the stored certificates, AS will respect what’s in …/web-ssl/, so you can symlink your files like so:
ln -sf /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
ln -sf /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
ln -sf /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
Then your refresh can be nice and simple. Stop openvpnas, refresh the cert, and start openvpnas. (And if you use certbot, it can take care of the stop/start using its pre-hook and post-hook flags.)
LikeLike
Much cleaner! Thanks!
LikeLike
I found out an almost perfect method here:
https://loige.co/using-lets-encrypt-and-certbot-to-automate-the-creation-of-certificates-for-openvpn/
LikeLike
Hey there from 2020 🙂 I’ve read Mr. Belvedere’s comments , and i’am having the same issue. I’m new at it , so i did all the steps was mentioned on this post , now my server isnt working at all. No logs unfortunately, i’m using Ubuntu 18.07 and launching on VMware.
LikeLike