Using Let's Encrypt / ACME with ocserv

Kevin Cernekee cernekee at
Mon Jan 25 12:04:44 PST 2016

On Mon, Jan 25, 2016 at 11:24 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at> wrote:
>> The special SNI value and the special cert are dynamically generated
>> during the ACME exchange.  If you wanted to build support into
>> ocserv,
>> you could accept the Z value through dbus and autogenerate the cert +
>> SNI name.  Not sure how "invasive" all of this is, though.
> I would not like to introduce a dbus dependency just for that. occtl
> could be used to provide that input, but still the webroot that you
> mention below is far much simpler.

Err, right, for some reason I thought occtl was using dbus.  Oops.

>> One downside is that many ACME clients only support webroot.  So I
>> guess this would probably be implemented as a plugin for the
>> reference client.
> Well the webroot thing can be combined easily with ocserv as it only
> requires the HTTP port. Isn't running a temporary HTTP server in
> parallel with ocserv a simpler solution?

Yes, I'm using the standalone plugin to do that now.  Fortunately,
there is nothing else running on port 80 on this IP, so it's not a
major problem.

I really hope they reconsider their decision to drop TLS webroot
support - it's even in the spec.  If that happens I'll send my ocserv
ACME webroot patch.

More information about the openconnect-devel mailing list