Skip to content

Instantly share code, notes, and snippets.

@sabbour

sabbour/update-openvpn-certs.sh

Created October 21, 2018 07:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sabbour/5412fed1d90014b212789bbd8382fead to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sabbour/5412fed1d90014b212789bbd8382fead to your computer and use it in GitHub Desktop.
Download ZIP
Raw
update-openvpn-certs.sh
#!/bin/bash
# update-openvpn-certs.sh
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/<YOUR DOMAIN NAME>/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/<YOUR DOMAIN NAME>/fullchain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/<YOUR DOMAIN NAME>/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start
@MoeJoe87
Copy link
Copy Markdown

MoeJoe87 commented Jul 2, 2019
edited
Loading

How did that work for you? You are using fullchain and the chain but no cert.pem? How should that work?

If i use your 3 lines i get:

"errors": {
"iptables_web": [
[
"error",
"service failed to start due to unresolved dependencies: set(['web'])"
]
],
"web": [
[
"error",
"process started and then immediately exited: 2019-07-02T13:56:23+0100 [stderr#error] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]"
],
[
"error",
"service failed to start or returned error status"

@sabbour
Copy link
Copy Markdown
Author

sabbour commented Jul 2, 2019

I don't remember the context of this

@MoeJoe87
Copy link
Copy Markdown

MoeJoe87 commented Jul 2, 2019
edited
Loading

Allright np. My fault was i was following your commands about 2 hours until i figured out that the fullchain is not needed but instead the cert.pem. So the right commands would be:

./sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live//privkey.pem" ConfigPut
./sacli --key "cs.cert" --value_file "/etc/letsencrypt/live//cert.pem" ConfigPut
./sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live//chain.pem" ConfigPut
./sacli start

But the more easy way is to delete the certificates from the DB with following commands:
./confdba -mk cs.ca_bundle
./confdba -mk cs.priv_key
./confdba -mk cs.cert

And then just link the certs to the /config/etc/web-ssl folder. (direct from the letsencrypt folder, cause if the renewal happen the links are still the same and everything still works without touching or making some pre- and -post-hooks.

sudo ln -s -f /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s -f /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo ln -s -f /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt

Im using openvpn-as in docker, so the only thing i have to take care now is to create the symlinks everytime after i did recreate the docker container. The rest is automated by certbot already and i dont need pre or post hooks.

Cheers,
Moli

@ryanbeaton
Copy link
Copy Markdown

ryanbeaton commented Jul 17, 2020

Thanks for that, you just helped me out :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment