Lets Encrypt OpenVPN AS

Solution 1:

In order to use letsencrypt certificates on the openvpnas you need to have the following symlinks:

/usr/local/openvpn_as/etc/web-ssl/ca.crt -> /etc/letsencrypt/live/my.domain/fullchain.pem
/usr/local/openvpn_as/etc/web-ssl/server.crt -> /etc/letsencrypt/live/my.domain/cert.pem
/usr/local/openvpn_as/etc/web-ssl/server.key -> /etc/letsencrypt/live/my.domain/privkey.pem

Solution 2:

Please do not use a public CA for OpenVPN. There is no need to trust an external party with your VPN network traffic.

Just create your own CA, with e.g. easy-rsa.

---

Solution 3:

Tried using Ben Flowers's answer (symlinking the PEM files in the OpenVPN config folder to the Let's Encrypt certificates) without luck, until I saw this in the OpenVPN documentation:

. . . if you have a self-signed certificate, or any certificate, stored in the configuration database, then the files in the web-ssl directory are ignored.

This can happen if you manually uploaded a certificate from the web UI. I deleted the manually uploaded certificates using the steps below (found on the same documentation page), and the Let's Encrypt certificates became active.

cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.priv_key" ConfigDel
./sacli --key "cs.ca_bundle" ConfigDel
./sacli --key "cs.cert" ConfigDel
./sacli start