So you’ve launched a new EC2 running OpenVPN, you’ve SSH’ed in and completed the setup. You can connect to the admin UI but get a warning about the certificate, this is completely safe but annoying. For me it was a bit more complicated because we wanted to transition our development urls to our new 3 letter
.dev domain. And you know how this complicates things… so let’s encrypt.
SSH back in and install Let’s Encrypt certbot
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
We’re going to pause OpenVPN, generate a cert, create a symbolic link between the new cert and what OpenVPN uses for it’s cert. Then create a CRON job to renew the cert for us.
sudo service openvpnas stopsudo certbot certonly --standalone --agree-tos --non-interactive \
--email email@example.com \
--domains vpn.domain.dev \
--pre-hook 'sudo service openvpnas stop' \
--post-hook 'sudo service openvpnas start'sudo ln -s -f /etc/letsencrypt/live/vpn.domain.dev/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crtsudo ln -s -f /etc/letsencrypt/live/vpn.domain.dev/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.keysudo service openvpnas start
Except for the first and last command be sure to use your domain. Finally we create a CRON job to renew the domain. I’ve selected to run it every 3rd month. https://crontab.guru/#0_4_1_*/3_*
sudo crontab -e
And add this command
0 4 1 */3 * sudo certbot -q renew
The pre/post hooks we defined initially were not honored during the creation of the cert, hence why we also performed the operation, instead they are honored during the renewal.