Am i using LetsEncrypt already?

My domain is: vpn885951179.softether.net

My web server is (include version): nginx 1.17.10

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.40.0 using http-01 on port 80 only as 443 is taken by Softether. i run the dry-run test and all is ok

hi, i hv follow an online guide to install nginx and also certbot to use with my Softether vpn. i manage to make everything works(i think), as i could browse to the HTTPS and it show im using LetsEncrypt certificate and i could also login with SSTP.

the ‘issue’ now is im not sure if Softether and also its OpenVPN are using LetsEncrypt for login/authentication. I use its command ServerCertSet to point the cert to the server. but when i open the ovpn file, it doesn’t looks like it is using them. as it only has CA, but theres no Client certificate or Private key.

how could i confirm this? and make them use LetsEncrypt as that will be more secure than using self-signed?

Thank you,

1 Like

Hi @aboka

yes, you use already a Letsencrypt certificate. See https://check-your-website.server-daten.de/?q=vpn885951179.softether.net

CN=vpn885951179.softether.net
	22.06.2020
	20.09.2020
expires in 89 days	vpn885951179.softether.net - 1 entry

Your configuration is a little bit buggy:

Chain - too much certificates, don't send root certificates	
	1	CN=vpn885951179.softether.net
	2	CN=DST Root CA X3, O=Digital Signature Trust Co.
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

The root certificate shouldn’t be sent, may be that software needs that.

Client certificates are completely different, you can’t use Letsencrypt certificates as client certificates. The private key is required in your nginx configuration, no other place. So it’s good that you don’t see the private key there.

You don’t need an exception in your browser. And if you would see one, you should check that instead of typing your password.

2 Likes

hi, im new to all this and follow guide on digitalocean to generate the cert - sudo certbot --nginx -d vpn885951179.softether.net

could you pls suggest how to fix the buggy configuration? and when you mention buggy, does it mean its a security flaw or, it might break and stop working? how serious it is.

p/s - yes, hv confirm(at least OpenVPN) is using LetsEncrypt after checking the logs. will find out SE log and do the same

thank you,

1 Like

I’ve written this same claim here on the forum but other people have corrected me: technically, you can use Let’s Encrypt certificates as client certificates (they’re approved for that key usage), but there are almost no plausible applications where that would be relevant or useful, since Let’s Encrypt certificates only authenticate servers and it’s normally quite unlikely that you would want your server to use a publicly-trusted certificate to authenticate itself as a client to someone else’s server.

3 Likes

If you are the VPN operator/administrator, you’re supposed to create credentials yourself for the VPN users, which is a separate process from getting a certificate for HTTPS for your server. It should be covered by a different guide (that is specific to your VPN software).

1 Like

@schoen thanks for the input. hv confirm both of them are using LetsEncrypt :slight_smile: only thing left now is how to solve this ‘Chain - too much certificates, don’t send root certificates’

cheers,

1 Like

Ah, thanks, good to know.

So it’s possible, but @aboka doesn’t want that.

2 Likes

@JuergenAuer im ok with that, if thats how it suppose to be. i just thought it should hv them when im using LetsEnccrypt :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.