Renewing certificates on OpenVPN

jorgeramos78 · 2018-05-22 19:51:29 UTC

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: openvpn.vohraphysicians.com

I ran this command:

sudo service openvpnas stop

sudo service nginx stop

sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt

sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key

sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/chain.pem /usr/local/openvpn_as/etc/web-ssl/chain.crt

sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/fullchain.pem /usr/local/openvpn_as/etc/web-ssl/fullchain.crt

sudo service nginx start

sudo service openvpnas start

It produced this output: None

My web server is (include version): Access Server 2.1.4b

The operating system my web server runs on is (include version): Ubuntu 16.04.1 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

jorgeramos78 · 2018-05-22 19:52:28 UTC

My problem is that I requested new certificates; but my web server is still using the old ones which are now expired.

schoen · 2018-05-22 19:53:49 UTC

Hi @jorgeramos78,

Could you take a look in the web server configuration? What files is it pointing at for the certificate and key according to that configuration?

jorgeramos78 · 2018-05-22 19:55:52 UTC

I wasn’t the one who configured this server, so I am not sure how to access the web server configuration

schoen · 2018-05-22 20:52:20 UTC

Maybe grep -r ssl_certificate /etc/nginx to find where it’s specified.

jorgeramos78 · 2018-05-22 20:59:26 UTC

Is this what you mean?

openvpnas@openvpnas2:~$ grep -r ssl_certificate /etc/nginx
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

jorgeramos78 · 2018-05-22 21:00:52 UTC

To be clear; I had been using Letsencrypt certificates without any issues before they expired a few days ago.

schoen · 2018-05-22 21:06:13 UTC

Yes, but it doesn’t seem to show the reference to your Let’s Encrypt certificates anywhere. Maybe you could also try something like

grep -r /etc/letsencrypt /etc/nginx

Do you know how your nginx server was configured to use your previous Let’s Encrypt certificate?

jorgeramos78 · 2018-05-23 13:33:17 UTC

I ran that grep command, but it didn’t return anything.

I first installed Certbot, per https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

I think that the configuration file for my site is located at /etc/letsencrypt/renewal/openvpn.vohraphysicians.com.conf, the contents of that file are below:

renew_before_expiry = 30 days

version = 0.21.1
archive_dir = /etc/letsencrypt/archive/openvpn.vohraphysicians.com
cert = /etc/letsencrypt/live/openvpn.vohraphysicians.com/cert.pem
privkey = /etc/letsencrypt/live/openvpn.vohraphysicians.com/privkey.pem
chain = /etc/letsencrypt/live/openvpn.vohraphysicians.com/chain.pem
fullchain = /etc/letsencrypt/live/openvpn.vohraphysicians.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 81b9cef32c2e17ff8290b642c28a3263
installer = None
authenticator = standalone

jorgeramos78 · 2018-05-23 13:37:16 UTC

I also found the /etc/letsencrypt/options-ssl-nginx.conf file, whose content is below:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:EC$

jorgeramos78 · 2018-05-23 13:53:40 UTC

I got it to work with the new certificates; although I am not entirely sure how. I ran the sudo certbot --nginx command and ended up restoring my server from a backup after the OpenVPN site failed to load.

I hope this goes a little more smoothly the next time I need to renew my certs.

Thanks for your help.

system · 2018-06-22 13:53:41 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.