AWS OpenVPN & Let’s Encrypt

Mike Garde
Jan 16 · 2 min read

So you’ve launched a new EC2 running OpenVPN, you’ve SSH’ed in and completed the setup. You can connect to the admin UI but get a warning about the certificate, this is completely safe but annoying. For me it was a bit more complicated because we wanted to transition our development urls to our new 3 letter .dev domain. And you know how this complicates things… so let’s encrypt.

SSH back in and install Let’s Encrypt certbot

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

We’re going to pause OpenVPN, generate a cert, create a symbolic link between the new cert and what OpenVPN uses for it’s cert. Then create a CRON job to renew the cert for us.

sudo service openvpnas stopsudo certbot certonly --standalone --agree-tos --non-interactive \
--email \
--domains \
--pre-hook 'sudo service openvpnas stop' \
--post-hook 'sudo service openvpnas start'
sudo ln -s -f /etc/letsencrypt/live/ /usr/local/openvpn_as/etc/web-ssl/server.crtsudo ln -s -f /etc/letsencrypt/live/ /usr/local/openvpn_as/etc/web-ssl/server.keysudo service openvpnas start

Except for the first and last command be sure to use your domain. Finally we create a CRON job to renew the domain. I’ve selected to run it every 3rd month.*/3_*

sudo crontab -e

And add this command

0 4 1 */3 * sudo certbot -q renew

The pre/post hooks we defined initially were not honored during the creation of the cert, hence why we also performed the operation, instead they are honored during the renewal.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade