Forked from TheAshwanik/Open VPN with LetsEncrypt certificate
Created
December 2, 2021 23:10
-
-
Save swipswaps/7377ba4d784473fa500d95f3e555f753 to your computer and use it in GitHub Desktop.
Open VPN with LetsEncrypt certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#FilePath: /lib/systemd/system/certbot.service | |
[Unit] | |
Description=Certbot | |
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html | |
Documentation=https://letsencrypt.readthedocs.io/en/latest/ | |
[Service] | |
Type=oneshot | |
ExecStart=/usr/bin/certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/deploy_hook.sh | |
PrivateTmp=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#FilePath:/lib/systemd/system/certbot.timer | |
[Unit] | |
Description=Run certbot twice daily | |
[Timer] | |
OnCalendar=*-*-* 00,12:00:00 | |
RandomizedDelaySec=43200 | |
Persistent=true | |
[Install] | |
WantedBy=timers.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
#FilePath: /etc/letsencrypt/renewal-hooks/deploy/deploy_hook.sh | |
openvpnas@openvpnas2:/usr/local/openvpn_as/scripts$ cat /etc/letsencrypt/renewal-hooks/deploy/deploy_hook.sh | |
export DOMAIN=myvpn.domain.com | |
sudo /usr/local/openvpn_as/scripts/confdba -mk cs.cert -v "`sudo cat /etc/letsencrypt/live/$DOMAIN/cert.pem`" | |
sudo /usr/local/openvpn_as/scripts/confdba -mk cs.priv_key -v "`sudo cat /etc/letsencrypt/live/$DOMAIN/privkey.pem`" > /dev/null | |
sudo /usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle -v "`sudo cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem`" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#FilePath:myvpn.domain.com.conf | |
# renew_before_expiry = 30 days | |
version = 0.31.0 | |
archive_dir = /etc/letsencrypt/archive/myvpn.domain.com | |
cert = /etc/letsencrypt/live/myvpn.domain.com/cert.pem | |
privkey = /etc/letsencrypt/live/myvpn.domain.com/privkey.pem | |
chain = /etc/letsencrypt/live/myvpn.domain.com/chain.pem | |
fullchain = /etc/letsencrypt/live/myvpn.domain.com/fullchain.pem | |
# Options used in the renewal process | |
#You will need to configure aws-cli in order to open and close port 80 on the fly. This is needed for acme challenge to succeed on port 80. | |
[renewalparams] | |
account = xxxxxxxxxxxxxxxxxxxxxxxxxxx | |
pre_hook = sudo service openvpnas stop && sudo service nginx stop && export AWS_DEFAULT_REGION=eu-west-1 && aws ec2 authorize-security-group-ingress --group-name "OpenVPN SG - C5" --protocol tcp --port 80 --cidr 0.0.0.0/0 | |
post_hook = sudo service openvpnas start && sudo service nginx start && export AWS_DEFAULT_REGION=eu-west-1 && aws ec2 revoke-security-group-ingress --group-name "OpenVPN SG - C5" --protocol tcp --port 80 --cidr 0.0.0.0/0 | |
authenticator = standalone | |
server = https://acme-v02.api.letsencrypt.org/directory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/#Installing_a_signed_SSL_certificate | |
https://certbot.eff.org/docs/using.html | |
https://serverfault.com/questions/215606/how-do-i-view-the-details-of-a-digital-certificate-cer-file | |
https://sideras.net/2016/02/24/lets-encrypt-https-certificates-for-openvpn-as-access-server/ | |
https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html | |
sudo certbot renew --dry-run ( use --verbose if you want ) | |
sudo service openvpnas start ( or sudo ./sacli start ) | |
sudo service openvpnas stop ( or sudo ./sacli stop ) | |
sudo ./sacli --key "cs.priv_key" ConfigQuery | |
sudo /usr/local/openvpn_as/scripts/sqlite3 /usr/local/openvpn_as/etc/db/config.db | |
tail -f /var/log/openvpnas.log | |
sudo systemctl list-timers | |
vi /lib/systemd/system/certbot.service | |
vi /lib/systemd/system/certbot.timer | |
Some Random commands | |
==================== | |
sudo netstat -plantu | grep .*LISTEN | |
cd /usr/local/openvpn_as/etc/web-ssl/ | |
ls -l | |
ls -l old | |
sudo ls -l /etc/letsencrypt/live/myvpn.domain.com/ | |
sudo service openvpnas stop | |
cd ../../scripts/ | |
sudo /usr/local/openvpn_as/scripts/confdba -mk cs.ca_bundle -v "`sudo cat /etc/letsencrypt/live/myvpn.domain.com/fullchain.pem`" | |
sudo /usr/local/openvpn_as/scripts/confdba -mk cs.priv_key -v "`sudo cat /etc/letsencrypt/live/myvpn.domain.com/privkey.pem`" > /dev/null | |
sudo /usr/local/openvpn_as/scripts/confdba -mk cs.cert -v "`sudo cat /etc/letsencrypt/live/myvpn.domain.com/cert.pem`" | |
sudo service openvpnas restart | |
sudo netstat -plantu | grep .*LISTEN | |
cd /usr/local/openvpn_as/etc/web-ssl/ | |
rm server.crt server.key | |
sudo rm server.crt server.key | |
sudo service openvpnas restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment