Using Let's Encrypt / ACME with ocserv
Kevin Cernekee
cernekee at gmail.com
Sun Jan 24 13:17:23 PST 2016
I set this up earlier today and ran into two issues:
1) `occtl reload` doesn't reload certs/keys, since they live in the
perm_cfg. It would be nice if it did, just to avoid kicking off
connected clients during the cert refresh every ~60-90 days.
2) I added a new worker-http-handler to ocserv that would allow it to
answer ACME challenges using the widely-supported "webroot" method,
only to find that webroot is forbidden on TLS connections:
https://github.com/letsencrypt/letsencrypt/issues/2150
Ideally, a VPN gateway could implement ACME without having to open up
port 80. Has anyone found a way around this restriction?
More information about the openconnect-devel
mailing list