TLS Certificate#
By default, using the recommended deploy instructions, a self-signed certificate is installed for the web server. This document shows you how to replace it.
It is highly recommended to use the Automatic approach documented below using the ACME scripts.
We do also provide instructions for Manual configuration of the certificate and key.
Automatic#
We have a script the makes it easy to automatically obtain a certificate using the ACME protocol with Let’s Encrypt, Buypass and ZeroSSL. It will also automatically obtain and replace a new certificate when it is about to expire.
It will ask you which CA you would like to use. The default is Let’s Encrypt.
You will also need to provide an email address and accept the terms before the certificate is obtained. After that everything SHOULD happen automatically, including setting up the automatic certificate renewal. For ZeroSSL you will also need to obtain External Account Binding (AEB) credentials by creating an account there and obtaining “EAB Credentials for ACME Clients”.
In case your domain uses CAA, you’ll need to put the respective domains in your DNS:
| CA | CAA Domain |
|---|---|
| Let’s Encrypt | letsencrypt.org |
| Buypass | buypass.no |
| ZeroSSL | sectigo.com |
Debian / Ubuntu#
$ sudo ./acme_debian.sh
Fedora / EL#
$ sudo ./acme_fedora.sh
Manual#
You can configure your own TLS certificate, for example ones you obtained
through a CA, in your web server configuration file. Replace vpn.example in
the examples below with your own server’s hostname.
| OS | Location | Reload Configuration |
|---|---|---|
| Debian / Ubuntu | /etc/apache2/sites-available/vpn.example.conf |
sudo systemctl reload apache2 |
| Fedora / EL | /etc/httpd/conf.d/vpn.example.conf |
sudo systemctl reload httpd |
NOTE: if you make any changes to your web server configuration you MUST reload the web server configuration using the command listed under “Reload Config”.
The following configuration options in the configuration file are relevant, you can either modify them, or better: replace the files they point to with your own certificate.
The file pointed to by SSLCertificateFile can contain just the “leaf”
certificate, or the full chain and leaf. In case the chain is also included,
the SSLCertificateChainFile option is NOT required. The
SSLCertificateKeyFile file contains the private key.
After modifying the configuration, and/or replacing the certificate/key, do NOT forget to reload the web server configuration.
Debian / Ubuntu#
SSLCertificateFile /etc/ssl/certs/vpn.example.crt
SSLCertificateKeyFile /etc/ssl/private/vpn.example.key
#SSLCertificateChainFile /etc/ssl/certs/vpn.example-chain.crt
Fedora / EL#
SSLCertificateFile /etc/pki/tls/certs/vpn.example.crt
SSLCertificateKeyFile /etc/pki/tls/private/vpn.example.key
#SSLCertificateChainFile /etc/pki/tls/certs/vpn.example-chain.crt