How To Add A Letsencrypt Self Signed Certificate To An OpenVPN Access Server

Tuesday, April 29, 2025

2 minute read

Use Case:
To secure an OVAS without purchasing an SSL-Cert from an authority.

Steps:
To configure SSL we need to have three files, in case of using Let’s Encrypt we will use the next files to create them:

*.crt – it’s our fullchain.pem file
*.key – privkey.pem file
*.bundle – will be created from fullchain.pem and privkey.pem

Check Let’s Encrypt existing files:

root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# ls -l
 total 4
 lrwxrwxrwx 1 root root  42 Feb 22 10:56 cert.pem -\\gt ../../archive/vpn.example.com/cert1.pem
 lrwxrwxrwx 1 root root  43 Feb 22 10:56 chain.pem -\\gt ../../archive/vpn.example.com/chain1.pem
 lrwxrwxrwx 1 root root  47 Feb 22 10:56 fullchain.pem -\\gt ../../archive/vpn.example.com/fullchain1.pem
 lrwxrwxrwx 1 root root  45 Feb 22 10:56 privkey.pem -\\gt ../../archive/vpn.example.com/privkey1.pem

Install the private key to OpenVPN server:

root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli --key cs.priv_key --value_file privkey.pem ConfigPut
 [True, {}]

Install its public cert:

root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli --key cs.cert --value_file fullchain.pem ConfigPut
 [True, {}]

“Generate” the bundle file – just by using cat for the fullchain.pem and privkey.pem:

root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# cat fullchain.pem privkey.pem gt bundle.pem

Add it to the OpenVPN AS:

root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli --key cs.ca_bundle --value_file bundle.pem ConfigPut
 [True, {}]

Restart the service:

root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli start
 RunStart warm None
 {
 errors: {},
 service\\_status: {
 api: on,
 auth: on,
 bridge: on,
 client\\_query: restarted,
 crl: on,
 daemon\\_pre: on,
 db\\_push: on,
 ip6tables\\_live: on,
 ip6tables\\_openvpn: on,
 iptables\\_live: on,
 iptables\\_openvpn: on,
 iptables\\_web: restarted,
 license: on,
 log: on,
 openvpn\\_0: on,
 openvpn\\_1: on,
 user: on,
 web: restarted
 }
 }
 
 WILL_RESTART ['web', 'client']

Check the UI now:

OpenVPN AS hostname

And the last step here will be to configure server’s hostname if this wasn’t made during initial setup.

Go to the Admin UI =gt Network Settings:

Get Started Now