To load a new HTTPS certificate for OpenVPN AS (Access Server), you’ll want to use the
./usr/local/openvpn_as/scripts/confdba command. This can be combined with a Let’s Encrypt client to obtain free a HTTPs certificate for the AS web server.
By default, letsencrypt-auto will save certificate files to the /etc/letsencrypt/live/DOMAIN.TLD directory. Digital Ocean has a nice introduction at https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 for learning how to set up
letsencrypt-auto to create and automatically renew certificates.
Once your certificates are ready, you need to load them into the OpenVPN AS web server. There are instructions out there that mention placing files into the
/usr/local/openvpn_as/etc/web-ssl/ directory, but I couldn’t get that to work. Instead, I used the instructions at https://docs.openvpn.net/how-to-tutorialsguides/administration/cs-ca_bundle-cs-priv_key-cs-cert/ which explain how to use the
./usr/local/openvpn_as/scripts/confdba command. Other documentation indicate that
confdba should be able load certificate files directly, but I couldn’t get that to work, so I used
cat to write out the certificate files into the command line arguments. The final resulting commands are:
/etc/init.d/openvpnas stop ##Let's Encrypt Client Runs Here in standalone mode## ./usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem`" ./usr/local/openvpn_as/scripts/confdba -mk cs.priv_key -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem`" > /dev/null ./usr/local/openvpn_as/scripts/confdba -mk cs.cert -v "`cat /etc/letsencrypt/live/DOMAIN.TLD/cert.pem`" /etc/init.d/openvpnas start
Note the use of
> /dev/null to avoid writing out the private key to any logs.