Letsencrypt openvpnas expired certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My certificates are been generated just fine. However the service (openvpnas) is not running with the renewed certificates. It still uses an expired certificate.
My domain is:
posrip.com

I ran this command:
certbot certificates
It produced this output:
Certificate Name: posrip.com-0001
Domains: posrip.com
Expiry Date: 2020-05-25 17:17:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/posrip.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/posrip.com-0001/privkey.pem
Certificate Name: posrip.com
Domains: posrip.com
Expiry Date: 2020-05-25 17:17:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/posrip.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/posrip.com-0001/privkey.pem

My web server is (include version):
2.7.5
The operating system my web server runs on is (include version):
ubuntu 16.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Have you reloaded OpenVPNAS? Do you use the files in /etc/letsencrypt/ directly from the OpenVPNAS configuration? Or did you copy the cert/privkey to another location and use it from there?

2 Likes

@Osiris I use the files directly from /etc/letsencrypt. And yes, I have reloaded the service multiple times to no avail

1 Like

Which files (folders) specifically do you use?
I ask only because I see a -0001 in the path of the currently active cert:

1 Like

This seems BROKEN.
Both certs are pointing to the exact same path/files:

1 Like

That is probably because I had regenerated the certs while the previous ones stayed in place and i assume certbot just appended the numbers to differentiate them. They are two different certs issued by certbot in my desperation to get it working but both are still valid certs, so why is openvpnas not picking either up. Still seems to be serving from some unknown location the previously expired certs

I disagree.
They have two different cert names (true):

But they point to the exact same files:

1 Like

Agreed, but why is none of them been served by openvpnas is my problem.

Perhaps we can look at the OpenVPNAS configuration concerning the certificate?

That sounds good. How can I do that?

I can only presume that openvpnas was configured to use:
Certificate Path: /etc/letsencrypt/live/posrip.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/posrip.com/privkey.pem
[without the -0001, and that cert still exists and is NOT being renewed]

root@openvpnas2:/home/openvpnas# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: posrip.com
Domains: posrip.com
Expiry Date: 2020-05-26 13:57:34+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/posrip.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/posrip.com/privkey.pem

Have now deleted the previous certs and created new ones, restarted the openvpnas service to no avail

Got in touch with openvpn and they advised using the guide linked below. Following the steps in the first part of the guide fixed my problem. NB ‘–value_file’ points to local files.

1 Like

But that guide uses a completely different ACME client? It doesn’t use certbot…

True and according to the support tech, openvpn does not support certbot. I have deployed certbot via chef previously, so I know that it is indeed possible but I was stumped here and this fixed the issue for me. I have since created a cron for certbot to renew the certs on schedule

Well, I’m not entirely sure if that’s correct. According to the how-to, it just uses another client to get certificates. Also, it seems to be using the utility sacli to import the certificate files into the OpenVPNAS configuration!. So I think OpenVPNAS doesn’t actually use files on the disk directly. In any case, it won’t use the files in the Let’s Encrypt directory like you previously claimed in post #3. It will only use the files in /usr/local/openvpn_as/etc/web-ssl/ as a fallback.

As people here probably aren’t precisely familiar with less-known services as OpenVPNAS, I would recommend for you in the future when you run into problems, either be 100 % familiair with the software you’re using or say you don’t know how OpenVPNAS is configured, as now you’ve given us information which steered me in the wrong way of thinking.

1 Like

Thank you for your time

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.