Can we use CA signed certificate like let's encrypt in softether vpn server?

Question

I am trying to attach let's encrypt certificate to my softether vpn server, But didn't found a way for it. Can we use CA signed certificate like let's encrypt in vpn server ? If yes, then please provide the process.

Answer 1

The main challenge in using Let's Encrypt certificates with a VPN server is that their validity period is really short, only 3 months. This means there are some prerequisites:

• You must be able to automate loading of the certificate and the private key once the Certbot has renewed them. Luckily, Softether has a Command Line Management Utility. You should be familiar at least with 6.2 General Usage of vpncmd in order to understand the steps 1 and 3 in this answer.
• The VPN server needs to be publicly accessible on HTTP port 80 for the HTTP-01 challenge. Also, the Softether VPN server hasn't builtin HTTP-01 challenge, so it requires an external Certbot.

Steps:

1. You should add Let's Encrypt as trusted CA for the VPN clients.

   • You can find the currently active Intermediate Certificates from the Chain of Trust page.

   • The command is CertAdd [path], from 6.5.6 "CertAdd": Add Trusted CA Certificate.

   • This step is probably possible with the GUI, too, but I'm not a GUI guy. :)

2. Install and configure Certbot: instructions based on your web server and system.

3. Create a script / task / cronjob that periodically updates the certificate and the key.

   • Certbot renews all certificates that will expire in a month. Therefore, there's up to month before a the old certificate expires, but you in order to minimize the chances for this to fail, I'd recommend running this script at least once a week.

   • The command, from 6.3.20 "ServerCertSet": Set SSL Certificate and Private Key of VPN Server, is:

     ServerCertSet [/LOADCERT:cert] [/LOADKEY:key]
     

     /LOADCERT Specify the X.509 format certificate file to use.

     /LOADKEY Specify the Base 64 encoded private key file for the certificate to use.

     For example with Debian Linux, the command might be:

     vpncmd /server localhost /password:password /adminhub:DEFAULT
         /cmd ServerCertSet \
         /LOADCERT:/etc/letsencrypt/live/vpn.example.com/cert.pem \
         /LOADKEY:/etc/letsencrypt/live/vpn.example.com/privkey.pem
     

Answer 2

It is not required that the VPN server being publicly accessible on port 80 for the letsencrypt challenge. You can use the --preferred-challenges DNS option which and create a DNS txt record for your host.

For example: certbot certonly -d yourhost.your.domain --manual --preferred-challenges dns

This will give you a prompt to create the new dns txt record

---

Please deploy a DNS TXT record under the name _acme-challenge.yourhost.your.domain with the following value:

somerandomlygeneratedkey

Before continuing, verify the record is deployed.

---