AWS OpenVPN: SSL and hostname configuration

AWS OpenVPN: SSL and hostname configuration


2 min read

If you have OpenVPN AS running in Production, For now – need to configure SSL to avoid alerts in clients browsers.


Let’s Encrypt

Install Let’s Encrypt client:

git clone /opt/letsencrypt

Open port 80 in your AWS Security Group – it’s safe as OpenVPN AS listen on the 443 for clients and 943 for the admin page access.

Obtain a new certificate:

/opt/letsencrypt/letsencrypt-auto certonly -d


You can change certificates using Admin UI in the Web Server Configuration, or using CLI.

On the first run OpenVPN AS generates self-signed certificates stored in the /usr/local/openvpn_as/etc/web-ssl/ directory:

ls -l /usr/local/openvpn_as/etc/web-ssl/

They are kind of failover-certificates in case if others will be broken.

To configure SSL we need to have three files, in case of using Let’s Encrypt we will use next files to create them:

  • *.crt – it’s our fullchain.pem file

  • *.keyprivkey.pem file

  • *.bundle – will be created from fullchain.pem and privkey.pem

Install private key to OpenVPN server:

/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "privkey.pem" ConfigPut

Install its public cert:

/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "fullchain.pem" ConfigPut

“Generate” bundle – just by using cat for the fullchain.pem and privkey.pem:

cd /etc/letsencrypt/live/
cat fullchain.pem privkey.pem > bundle.pem

Add it to the OpenVPN AS:

/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "bundle.pem" ConfigPut

Restart service:

/usr/local/openvpn_as/scripts/sacli start

Check UI now:

OpenVPN AS hostname

And the last step here will be to configure server’s hostname if this wasn’t made during initial setup.

Go to the Admin UI => Network Settings:


Lets Encrypt certificates expire every 3 months. To save us from having to renew & reinstall them manual we can create a simple bash script and schedule it using cron which is a time-based job scheduler

1. Copy the code below using a text editor of your choice into /usr/local/sbin/

certbot renew — standalone
sleep 1m
cat /etc/letsencrypt/live/ /etc/letsencrypt/live/ > /etc/letsencrypt/live/
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/" ConfigPut
/usr/local/openvpn_as/scripts/sacli start

2. Make the script Executable:

sudo chown +x /usr/local/sbin/

3. Enter Cron editor as root:

sudo crontab -e
#Add the following line
0 0 1 */2 * /usr/local/sbin/

This will schedule the script to run 'At 00:00 on day-of-month 1 in every 2nd month.

Did you find this article valuable?

Support Rahul wath by becoming a sponsor. Any amount is appreciated!