Monthly Archives: Feb 2016

LetsEncrypt working with OpenVPN data-share

I have a fairly specific use case, and this is too help those that may need to automate renewals if you have

  • OpenVPN on tcp/443, with port-share enabled
  • NGINX as your webserver

First to configure port-share on OpenVPN add the following to your server.conf

port 443
port-share 8443

On your NGINX CONF your port config should look like

listen 8443;

Basically you are now using built-in detection of OpenVPN to detect SSLVPN or HTTPS traffic coming in on port 443/tcp, and if it detects HTTPS traffic forwards it on to your NGINX daemon on port tcp/8443

To get you certificates to renew when you are using NGINX is a bit of a pain, especially if you are using port-share but it is doable with a small amount of downtime. I use a script by Acetylator from the LetsEncrypt community forums. How-to: completely automating certificate renewals on Debian

At the top I added

service openvpn stop

and at the bottom

service openvpn stop

There is probably a more elegant way to do this, but I am not a *nix guy .

For the script to work correctly you need a copy of cli.ini in your /etc/letsencrypt folder. Mine looks like below:

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let’s Encrypt with
# “–help” to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
email = [email protected]
# Uncomment and update to generate certificates for the specified
# domains.
domains = www.domain.tld domain.tld
# Uncomment to use a text interface instead of ncurses
text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html

I have a cron job that runs once a week calling this script and so far with 1 renewal that has happened it all worked as expected, such a rare occurrence.