-
-
Save sabbour/5412fed1d90014b212789bbd8382fead to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # update-openvpn-certs.sh | |
| /usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/<YOUR DOMAIN NAME>/privkey.pem" ConfigPut | |
| /usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/<YOUR DOMAIN NAME>/fullchain.pem" ConfigPut | |
| /usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/<YOUR DOMAIN NAME>/chain.pem" ConfigPut | |
| /usr/local/openvpn_as/scripts/sacli start |
I don't remember the context of this
Allright np. My fault was i was following your commands about 2 hours until i figured out that the fullchain is not needed but instead the cert.pem. So the right commands would be:
./sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live//privkey.pem" ConfigPut
./sacli --key "cs.cert" --value_file "/etc/letsencrypt/live//cert.pem" ConfigPut
./sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live//chain.pem" ConfigPut
./sacli start
But the more easy way is to delete the certificates from the DB with following commands:
./confdba -mk cs.ca_bundle
./confdba -mk cs.priv_key
./confdba -mk cs.cert
And then just link the certs to the /config/etc/web-ssl folder. (direct from the letsencrypt folder, cause if the renewal happen the links are still the same and everything still works without touching or making some pre- and -post-hooks.
sudo ln -s -f /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s -f /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo ln -s -f /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
Im using openvpn-as in docker, so the only thing i have to take care now is to create the symlinks everytime after i did recreate the docker container. The rest is automated by certbot already and i dont need pre or post hooks.
Cheers,
Moli
Thanks for that, you just helped me out :)
How did that work for you? You are using fullchain and the chain but no cert.pem? How should that work?
If i use your 3 lines i get:
"errors": {
"iptables_web": [
[
"error",
"service failed to start due to unresolved dependencies: set(['web'])"
]
],
"web": [
[
"error",
"process started and then immediately exited: 2019-07-02T13:56:23+0100 [stderr#error] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]"
],
[
"error",
"service failed to start or returned error status"