Bug #8281
closed
letsencrypt cert ca isn't recognised by openvpn client
0%
Description
using LE generated cert for openvpn config
openvpn client can't connect stopping at
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
seems to be due to ca certificate got by acme client is the crosssigned one lets-encrypt-x3-cross-signed without being bundled with root cert
got it to work by changing LE ca cert (on cert manager) to the letsencryptauthorityx3 bundled with isrgrootx1
using openvpn cli and network-manager on ubuntu 16.04.3
Updated by Jim Pingle over 6 years ago
- Status changed from New to Rejected
Never use a public/globally trusted cert with your VPN. You will allow anyone anywhere with a cert from the same CA access to your VPN, reducing your overall security even with additional layers like TLS keys.
Use a self-signed CA/Cert structure. There is zero benefit to using an ACME or other trusted cert and massive disadvantages by doing so.
We will not fix an issue that would degrade security in this way.
Updated by dhia eddine over 6 years ago
you're right, It's better using own CA for private vpn
but the issue is about ACME client to put the bundled LE CA cert in cert manager then deliver the whole bundle to connected clients, so that more clients will be able to validate certs issued by LE.
aside from openvpn, can this benefit to other services? haproxy?
Updated by Jim Pingle over 6 years ago
No. It already works fine with all other services that we're aware of, including HAProxy.