I am trying to attach let's encrypt certificate to my softether vpn server, But didn't found a way for it. Can we use CA signed certificate like let's encrypt in vpn server ? If yes, then please provide the process.
2 Answers
The main challenge in using Let's Encrypt certificates with a VPN server is that their validity period is really short, only 3 months. This means there are some prerequisites:
- You must be able to automate loading of the certificate and the private key once the Certbot has renewed them. Luckily, Softether has a Command Line Management Utility. You should be familiar at least with 6.2 General Usage of
vpncmd
in order to understand the steps 1 and 3 in this answer. - The VPN server needs to be publicly accessible on HTTP port 80 for the HTTP-01 challenge. Also, the Softether VPN server hasn't builtin HTTP-01 challenge, so it requires an external Certbot.
Steps:
You should add Let's Encrypt as trusted CA for the VPN clients.
You can find the currently active Intermediate Certificates from the Chain of Trust page.
The command is
CertAdd [path]
, from 6.5.6 "CertAdd": Add Trusted CA Certificate.This step is probably possible with the GUI, too, but I'm not a GUI guy. :)
Install and configure Certbot: instructions based on your web server and system.
Create a script / task / cronjob that periodically updates the certificate and the key.
Certbot renews all certificates that will expire in a month. Therefore, there's up to month before a the old certificate expires, but you in order to minimize the chances for this to fail, I'd recommend running this script at least once a week.
The command, from 6.3.20 "ServerCertSet": Set SSL Certificate and Private Key of VPN Server, is:
ServerCertSet [/LOADCERT:cert] [/LOADKEY:key]
/LOADCERT
Specify the X.509 format certificate file to use./LOADKEY
Specify the Base 64 encoded private key file for the certificate to use.For example with Debian Linux, the command might be:
vpncmd /server localhost /password:password /adminhub:DEFAULT /cmd ServerCertSet \ /LOADCERT:/etc/letsencrypt/live/vpn.example.com/cert.pem \ /LOADKEY:/etc/letsencrypt/live/vpn.example.com/privkey.pem
- 43,252
- 2
- 75
- 122
It is not required that the VPN server being publicly accessible on port 80 for the letsencrypt challenge. You can use the --preferred-challenges DNS option which and create a DNS txt record for your host.
For example: certbot certonly -d yourhost.your.domain --manual --preferred-challenges dns
This will give you a prompt to create the new dns txt record
Please deploy a DNS TXT record under the name _acme-challenge.yourhost.your.domain with the following value:
somerandomlygeneratedkey
Before continuing, verify the record is deployed.
- 1