Using Let's Encrypt / ACME with ocserv

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Mon Jan 25 01:46:40 PST 2016


On Sun, Jan 24, 2016 at 10:17 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> I set this up earlier today and ran into two issues:
>
> 1) `occtl reload` doesn't reload certs/keys, since they live in the
> perm_cfg.  It would be nice if it did, just to avoid kicking off
> connected clients during the cert refresh every ~60-90 days.

The difficult part when doing that, is to have some workers spawned
before reload with the old certificate in memory and accessing the
security module after reload with the new key. If the certificate
update process kept the old key, that would work, but if a new key was
issued not. We could of course make these fail with a temporary http
error.

> 2) I added a new worker-http-handler to ocserv that would allow it to
> answer ACME challenges using the widely-supported "webroot" method,
> only to find that webroot is forbidden on TLS connections:
> https://github.com/letsencrypt/letsencrypt/issues/2150
> Ideally, a VPN gateway could implement ACME without having to open up
> port 80.  Has anyone found a way around this restriction?

No idea. But if there is something that ocserv could do to automate
this certificate issuing let me know. I think that could be an
interesting thing to add.

regards,
Nikos



More information about the openconnect-devel mailing list