Description:
Some customers want to install Let's Encrypt SSL Certificates and automate this via Certbot.
Prerequisites:
- You need a domain name pointing to your external Access Server IP, in our example, ‘sslexample.com’.
- Configure the domain name in the Admin Web UI under Configuration > Network Settings > Hostname or IP Address.
Step 1: Install CertBot
For Ubuntu and Debian
+ Update the Linux Repos and install the certbot tool:
sudo su
apt update && apt -y install certbot
For RHEL and Centos:
+ Install EPEL (Extra Packages for Enterprise Linux) repository and then the certbot tool:
sudo su
yum install epel-release
yum install certbot
Note: Certbot supports other installation methods, such as PIP and SNAP. Refer to the certbot documentation for details.
Step 2: Issue certificates
With certbot installed, you can now generate the SSL certificates for your Access Server domain name using the below commands:
certbot certonly --standalone --preferred-challenges http -d sslexample.com
The above command asks you to use an email address for renewal and security notices.
If you don't want to provide an email address (optional), run this command:
certbot certonly --standalone --register-unsafely-without-email --preferred-challenges http -d sslexample.com
Notes:
- Replace "sslexample.com" in the command with the domain name of your Access Server.
- These commands use TCP port 80 (HTTP).
After running the above commands, your certificate files ("fullchain.pem, " "chain.pem, " "cert.pem, " "privkey.pem") will be placed in the "/etc/letsencrypt/live/sslexample.com" directory.
Step 3: Install certificates:
Install the certificate files — cert.pem, chain.pem, and privkey.pem — with these commands:
sudo su
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/sslexample.com/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/sslexample.com/cert.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/sslexample.com/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start
After this, refresh your Access Server Admin Web UI to see the details of your Let's Encrypt SSL certificates, good for three months.
Step 4: Automate certificate reissues
Most certbot installations come with automatic renewals preconfigured. You can check the system scheduler configuration (/etc/crontab
or /etc/cron.*/*
) or systemd timers systemctl list-timers
to ensure that the certbot renew
command is there.
If you need to set up auto-renew manually, follow the below steps:
+ Create a bash script using nano under "/usr/local/sbin/certbotrenew.sh" (For this example, certbotrenew.sh is the name of the bash script):
nano /usr/local/sbin/certbotrenew.sh
+ Copy the below lines as the content of the bash script (don't forget to replace sslexample.com with your domain name):
#!/bin/bash certbot renew —-standalone sleep 30 /usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/sslexample.com/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/sslexample.com/cert.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/sslexample.com/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start
+ Press ctrl+x, y, and enter to save and exit the file.
+ Set permission on the bash script file so it could be an executable file:
sudo chmod +x /usr/local/sbin/certbotrenew.sh
+ Open the crontab file for the account you are logged on as:
sudo crontab -e
You may be asked which text editor to use when doing this for the first time. We tend to advise nano as it's easy to use. At the bottom of the crontab file, add these two lines:
SHELL=/bin/bash
0 8 1 * * /usr/local/sbin/certbotrenew.sh
This example will renew the Let's Encrypt SSL certificates at 08:00 am on day 1 of every month. You can adjust this according to your needs.
+ Save and exit by pressing Ctrl+x, then y (if you use nano).
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.