VyOS 1.4 - openconnect and Let's encrypt certificate

I am trying to setup openconnect VPN with a let’s encrypt certificate.
I have created the certificate with the hostname FQDN as subjectname.
I have two problems (related).
The first is that I really don’t understand the new way of pointing out certificates with:
set vpn openconnect ssl ca-certificate
set vpn openconnect ssl certificate
What should pki-ca-name be for the Let’s encrypt R3 certificate? (It contains a singlequote that is not accepted).

Where do the certificates need to be placed for the config to find them?

If I try to “guess”/“test” the names (I just tried R3 for pki-ca-name and my FQDN for pki-cert-name) and do commit I get the error message: “PKI not configured”.

Is there someone who has this working with the new way of pointing out certificates? Pointing at files was a bit clearer to me.

I figured it out myself. Posting my solution here incase someone has the same problem.

Get the R3 certificate inserted in the config

TEMP=`tail -n +2 /etc/ssl/certs/GTS_Root_R3.pem | head -n -1 | tr -d '\n'`
set pki ca R3 certificate $TEMP

Get my Letsencrypt certs into the config

TEMP=`sudo tail -n +2 /etc/letsencrypt/live/replace.this.with.your.name/cert.pem | head -n -1 | tr -d '\n'`
set pki certificate openconnect certificate $TEMP
TEMP=`sudo tail -n +2 /etc/letsencrypt/live/replace.this.with.your.name/privkey.pem |head -n -1 | tr -d '\n'`
set pki certificate openconnect private key $TEMP

I have also written a script to update my configuration that is intended to be run from crontab after renewing the certificate from let’s encrypt.

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
delete pki certificate openconnect
TEMP=`sudo tail -n +2 /etc/letsencrypt/live/replace.this.with.your.name/cert.pem | head -n -1 | tr -d '\n'`
set pki certificate openconnect certificate $TEMP
TEMP=`sudo tail -n +2 /etc/letsencrypt/live/replace.this.with.your.name/privkey.pem |head -n -1 | tr -d '\n'`
set pki certificate openconnect private key $TEMP
commit
save
exit

In my openconnect setup I point to the certs with.

set vpn openconnect ssl ca-certificate 'R3'
set vpn openconnect ssl certificate 'openconnect'

2 Likes

In my case, the file /etc/letsencrypt/live/replace.this.with.your.name/privkey.key has its header as -----BEGIN EC PRIVATE KEY-----, but vyos only support -----BEGIN PRIVATE KEY----- so, if you’re like me, you have to convert it first,

Here is my script for future references.

#!/bin/vbash

source /opt/vyatta/etc/functions/script-template
configure
delete pki certificate openconnect
TEMP=`sudo openssl x509 -in /etc/letsencrypt/live/replace.this.with.your.name/cert.crt -outform PEM | tail -n +2 | head -n -1 | tr -d '\n'`
set pki certificate openconnect certificate $TEMP
TEMP=`sudo openssl pkcs8 -topk8 -in /etc/letsencrypt/live/replace.this.with.your.name/privkey.key -outform PEM -nocrypt | tail -n +2 | head -n -1 | tr -d '\n'`
set pki certificate openconnect private key $TEMP
commit
save
exit

1 Like

Now there is native support for letsencrypt certs for openconnect:

https://docs.vyos.io/en/latest/configuration/pki/index.html#acme