How to install Letsencrypt Certificates on Open VPN Access Server Web Interface

In this tutorial we are going to show you how to install letsencrypt certificates on your OpenVPN Access Server’s Web Interface. This tutorial assumes you are using an ubuntu or debian based distribution.

STEP 1:

SSH into your openvpn access server in your terminal, and install certbot:

sudo apt update && sudo apt install certbot

STEP 2:

Configure your DNS A records from your registrar to point to your server’s public IP address. If you are using cloudflare, it should look like this:

STEP 3:

Run certbot and enter the answers to its questions.

sudo certbot certonly

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Enter email address (used for urgent renewal and security notices): contact@nerd-tech.net

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N


Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): vpn.yourdomain.com (ex: vpn.nerd-tech.net)
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn.nerd-tech.net
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/vpn.nerd-tech.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/vpn.nerd-tech.net/privkey.pem
    Your cert will expire on 2021-12-18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
  • If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Now enter the following lines replacing vpn.mydomain.com with your domain prefaced with a vpn and a dot (ex: vpn.nerd-tech.net).

/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/vpn.mydomain.com/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/vpn.mydomain.com/cert.pem" ConfigPut
sudo /usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/vpn.mydomain.com/chain.pem" ConfigPut
sudo /usr/local/openvpn_as/scripts/sacli start

RunStart warm None
{
“active_profile”: “Default”,
“errors”: {},
“last_restarted”: “Sun Sep 19 10:09:45 2021”,
“service_status”: {
“api”: “on”,
“auth”: “on”,
“bridge”: “on”,
“client_query”: “restarted”,
“crl”: “on”,
“daemon_pre”: “on”,
“db_push”: “on”,
“ip6tables_live”: “on”,
“ip6tables_openvpn”: “on”,
“iptables_live”: “on”,
“iptables_openvpn”: “on”,
“iptables_web”: “restarted”,
“log”: “on”,
“openvpn_0”: “on”,
“subscription”: “on”,
“user”: “on”,
“web”: “restarted”
}
}
WILL_RESTART [‘web’, ‘client’]

Now, restart your Openvpn Access Server.

sudo service openvpnas restart

Now you can browse to your new domain on port 943 (unless you changed openvpnas default web interface port).

So open your web browser and go to https://vpn.yourdomain.com:943/admin

You should see a lock icon in the top left corner of your browser, indicating that you are now using your secure letsencrypt certificates.

FINALLY, you need to log into your admin web interface, and change your hostname to the hostname you created for it.

And that is how you install letsencrypt certificates on the Openvpn Access Server Web Interface!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.