Overview
Some customers prefer installing Let's Encrypt SSL Certificates and automating renewal. While Certbot is a common tool for this, it requires access to TCP port 80, which may be blocked on some networks. In such cases, you can use LEGO as an alternative.
Prerequisites
-
Domain name:
- You need a domain name pointing to your external Access Server IP, (e.g., sslexample.com).
-
Configure the Domain name:
- Set the domain name in the Admin Web UI under Configuration > Network Settings > Hostname or IP Address.
Step 1: Install LEGO
For AMD64 Systems:
- Download the latest LEGO:
sudo su
URL=$(curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4)
wget -q $URL -
Extract the version number from the URL and use tar to extract the downloaded file using the extracted version number:
VERSION=$(echo $URL | awk -F'/' '{print $8}')
tar xf lego_${VERSION}_linux_amd64.tar.gz -
Move the binary to /usr/bin/:
mv lego /usr/bin/
For ARM64 Systems:
- Download the latest LEGO binary:
sudo su
URL=$(curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_arm64 | cut -d '"' -f 4)
wget -q $URL - Extract the version number from the URL and use tar to extract the downloaded file using the extracted version number:
VERSION=$(echo $URL | awk -F'/' '{print $8}')
tar xf lego_${VERSION}_linux_arm64.tar.gz - Move the binary to /usr/bin/:
mv lego /usr/bin/
Verify Installation
Run the following command to confirm LEGO is installed:
lego -v
Step 2: Issue SSL certificates
With LEGO installed, you can now generate the SSL certificates for your Access Server domain name.
- Create a directory for storing certificates:
mkdir -p /etc/lego
- Generate the certificates using HTTPS (port 443):
lego --email="you@openvpn.com" --domains="sslexample.com" --tls --path="/etc/lego" run
- The above command requires an email address for renewal and security notices. At the time of writing, the use of email is mandatory. There is a feature request on LEGO GitHub to add an option to omit the use of email.
- The first run of LEGO requires accepting the current Let's Encrypt terms of service. You can press 'Y' in the command-line prompt or add
--accept-tos
to the command above to accept the ToS. - If your Access Server is running and using port 443 (default configuration), you receive an error like "could not start HTTPS server for the challenge: listen tcp :443: bind: address already in use". Use the HTTP-01 challenge instead, as described below.
- If you want to issue your SSL certificates using HTTP port 80, run this command:
lego --email="you@openvpn.com" --domains="sslexample.com" --http --path="/etc/lego" run
Notes:
- Replace "you@openvpn.com" in the command with your email address.
- Replace "sslexample.com" in the command with the domain name of your Access Server.
- After running the above commands, the certificates are stored in /etc/lego/certificates. You'll see files like this:
- sslexample.com.crt (certificate)
- sslexample.com.issuer.crt (CA bundle)
- sslexample.com.key (private key)
root@Ubuntu20AS:~# ls -lah /etc/lego/certificates
total 24K
drwx------ 2 root root 4.0K Jun 7 15:46 .
drwxr-xr-x 4 root root 4.0K Jun 7 15:46 ..
-rw------- 1 root root 2.8K Jun 7 15:46 sslexample.com.crt
-rw------- 1 root root 1.6K Jun 7 15:46 sslexample.com.issuer.crt
-rw------- 1 root root 240 Jun 7 15:46 sslexample.com.json
-rw------- 1 root root 227 Jun 7 15:46 sslexample.com.key
Step 3: Install the SSL certificates:
- Install the certificate files — sslexample.com.crt, sslexample.com.issuer.crt, and sslexample.com.key — with these commands:
sudo su
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/lego/certificates/sslexample.com.key" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/lego/certificates/sslexample.com.crt" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/lego/certificates/sslexample.com.issuer.crt" ConfigPut
/usr/local/openvpn_as/scripts/sacli start - Refresh the Access Server Admin Web UI to see the installed certificates, valid for three months.
Step 4: Automate certificate renewal
If you need to set up auto-renew manually, follow the below steps:
-
- Create a bash script to renew the certificates using nano under /usr/local/sbin/legorenew.sh (e.g., legorenew.sh is the name of the bash script):
nano /usr/local/sbin/legorenew.sh
- Add the following content to the script:
#!/bin/bash lego --email="you@openvpn.com" --domains="sslexample.com" --tls --path="/etc/lego" renew sleep 30 /usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/lego/certificates/sslexample.com.key" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/lego/certificates/sslexample.com.crt" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/lego/certificates/sslexample.com.issuer.crt" ConfigPut
/usr/local/openvpn_as/scripts/sacli start- Replace sslexample.com with your domain name.
- Save and close the file (Ctrl+x, y, Enter).
- Make the script executable:
sudo chmod +x /usr/local/sbin/legorenew.sh
- Add a cron job to automate the renewal:
sudo crontab -e
- If you're prompted to choose a text editor, we recommend using nano as it's easy to use.
- Add the following lines at the end of the file:
SHELL=/bin/bash
0 8 1 * * /usr/local/sbin/legorenew.sh- This example schedules the script to renew the Let's Encrypt SSL Certificates on the 1st of every month at 8:0 AM. Adjust as needed.
- Save and exit by pressing Ctrl+x, then y (if you use nano).
- Create a bash script to renew the certificates using nano under /usr/local/sbin/legorenew.sh (e.g., legorenew.sh is the name of the bash script):
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.