The operating system my web server runs on is (include version): Ubuntu 20.04 LTS
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.40.0 using http-01 on port 80 only as 443 is taken by Softether. i run the dry-run test and all is ok
hi, i hv follow an online guide to install nginx and also certbot to use with my Softether vpn. i manage to make everything works(i think), as i could browse to the HTTPS and it show im using LetsEncrypt certificate and i could also login with SSTP.
the ‘issue’ now is im not sure if Softether and also its OpenVPN are using LetsEncrypt for login/authentication. I use its command ServerCertSet to point the cert to the server. but when i open the ovpn file, it doesn’t looks like it is using them. as it only has CA, but theres no Client certificate or Private key.
how could i confirm this? and make them use LetsEncrypt as that will be more secure than using self-signed?
CN=vpn885951179.softether.net
22.06.2020
20.09.2020
expires in 89 days vpn885951179.softether.net - 1 entry
Your configuration is a little bit buggy:
Chain - too much certificates, don't send root certificates
1 CN=vpn885951179.softether.net
2 CN=DST Root CA X3, O=Digital Signature Trust Co.
3 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
The root certificate shouldn't be sent, may be that software needs that.
Client certificates are completely different, you can't use Letsencrypt certificates as client certificates. The private key is required in your nginx configuration, no other place. So it's good that you don't see the private key there.
You don't need an exception in your browser. And if you would see one, you should check that instead of typing your password.
hi, im new to all this and follow guide on digitalocean to generate the cert - sudo certbot --nginx -d vpn885951179.softether.net
could you pls suggest how to fix the buggy configuration? and when you mention buggy, does it mean its a security flaw or, it might break and stop working? how serious it is.
p/s - yes, hv confirm(at least OpenVPN) is using LetsEncrypt after checking the logs. will find out SE log and do the same
I've written this same claim here on the forum but other people have corrected me: technically, you can use Let's Encrypt certificates as client certificates (they're approved for that key usage), but there are almost no plausible applications where that would be relevant or useful, since Let's Encrypt certificates only authenticate servers and it's normally quite unlikely that you would want your server to use a publicly-trusted certificate to authenticate itself as a client to someone else's server.
If you are the VPN operator/administrator, you're supposed to create credentials yourself for the VPN users, which is a separate process from getting a certificate for HTTPS for your server. It should be covered by a different guide (that is specific to your VPN software).
@schoen thanks for the input. hv confirm both of them are using LetsEncrypt only thing left now is how to solve this ‘Chain - too much certificates, don’t send root certificates’
only thing left now is how to solve this ‘Chain - too much certificates, don’t send root certificates’