The operating system my web server runs on is (include version): Ubuntu 20.04 LTS
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.40.0 using http-01 on port 80 only as 443 is taken by Softether. i run the dry-run test and all is ok
hi, i hv follow an online guide to install nginx and also certbot to use with my Softether vpn. i manage to make everything works(i think), as i could browse to the HTTPS and it show im using LetsEncrypt certificate and i could also login with SSTP.
the ‘issue’ now is im not sure if Softether and also its OpenVPN are using LetsEncrypt for login/authentication. I use its command ServerCertSet to point the cert to the server. but when i open the ovpn file, it doesn’t looks like it is using them. as it only has CA, but theres no Client certificate or Private key.
how could i confirm this? and make them use LetsEncrypt as that will be more secure than using self-signed?
expires in 89 days vpn885951179.softether.net - 1 entry
Your configuration is a little bit buggy:
Chain - too much certificates, don't send root certificates
2 CN=DST Root CA X3, O=Digital Signature Trust Co.
3 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
The root certificate shouldn't be sent, may be that software needs that.
Client certificates are completely different, you can't use Letsencrypt certificates as client certificates. The private key is required in your nginx configuration, no other place. So it's good that you don't see the private key there.
You don't need an exception in your browser. And if you would see one, you should check that instead of typing your password.
I've written this same claim here on the forum but other people have corrected me: technically, you can use Let's Encrypt certificates as client certificates (they're approved for that key usage), but there are almost no plausible applications where that would be relevant or useful, since Let's Encrypt certificates only authenticate servers and it's normally quite unlikely that you would want your server to use a publicly-trusted certificate to authenticate itself as a client to someone else's server.
If you are the VPN operator/administrator, you're supposed to create credentials yourself for the VPN users, which is a separate process from getting a certificate for HTTPS for your server. It should be covered by a different guide (that is specific to your VPN software).