Using Let's Encrypt / ACME with ocserv

Kevin Cernekee cernekee at
Sun Jan 24 13:17:23 PST 2016

I set this up earlier today and ran into two issues:

1) `occtl reload` doesn't reload certs/keys, since they live in the
perm_cfg.  It would be nice if it did, just to avoid kicking off
connected clients during the cert refresh every ~60-90 days.

2) I added a new worker-http-handler to ocserv that would allow it to
answer ACME challenges using the widely-supported "webroot" method,
only to find that webroot is forbidden on TLS connections:

Ideally, a VPN gateway could implement ACME without having to open up
port 80.  Has anyone found a way around this restriction?

More information about the openconnect-devel mailing list