I have a fairly specific use case, and this is too help those that may need to automate renewals if you have
- OpenVPN on tcp/443, with port-share enabled
- NGINX as your webserver
First to configure port-share on OpenVPN add the following to your server.conf
port-share 127.0.0.1 8443
On your NGINX CONF your port config should look like
Basically you are now using built-in detection of OpenVPN to detect SSLVPN or HTTPS traffic coming in on port 443/tcp, and if it detects HTTPS traffic forwards it on to your NGINX daemon on port tcp/8443
To get you certificates to renew when you are using NGINX is a bit of a pain, especially if you are using port-share but it is doable with a small amount of downtime. I use a script by Acetylator from the LetsEncrypt community forums. How-to: completely automating certificate renewals on Debian
At the top I added
service openvpn stop
and at the bottom
service openvpn stop
There is probably a more elegant way to do this, but I am not a *nix guy .
For the script to work correctly you need a copy of cli.ini in your /etc/letsencrypt folder. Mine looks like below:
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let’s Encrypt with
# “–help” to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
email = [email protected]
# Uncomment and update to generate certificates for the specified
domains = www.domain.tld domain.tld
# Uncomment to use a text interface instead of ncurses
text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html
I have a cron job that runs once a week calling this script and so far with 1 renewal that has happened it all worked as expected, such a rare occurrence.