ocserv: support custom server SSL certificate

Add UCI options for the path to the server's SSL certificate and private key. This enables the use of a certificate provided by an external certificate authority instead of the default self-signed certificate. The self-signed certificate is still produced if it doesn't already exist, and is used by default. So this change should be transparent to existing users. Fixes #23099. Signed-off-by: Jack Lovell <jacklovell1990@gmail.com>
2026-06-17 14:50:07 +04:00 · 2026-05-31 15:49:39 +01:00
parent ad7bc019e2
commit ca54c9b937
4 changed files with 35 additions and 6 deletions
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=ocserv
 PKG_VERSION:=1.4.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_BUILD_FLAGS:=no-mips16

 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
@@ -7,7 +7,10 @@ It is recommended to setup a dynamic DNS address with openwrt prior
 to starting the server. That is because during the first startup
 a certificate file which will contain the dynamic DNS name will be
 created. You can always regenerate the certificate by deleting
-/etc/ocserv/server-key.pem.
+/etc/ocserv/server-key.pem. Alternatively, an externally-supplied
+certificate may be provided (obtained for example from Let's Encrypt
+using the acme package); this too will require the server's DNS name
+to match that of the certicate.

 There are two approaches to setup the VPN. The proxy-arp approach (1)
 which provides clients with addresses of the LAN, and the "forwarding"
@@ -179,6 +182,28 @@ config rule
 Note, that the last two rules, enable connections to port 443 from the
 Internet. That is the port used by OpenConnect VPN.

+Using an externally-supplied server certificate
+===============================================
+
+By default, a self-signed SSL certificate is used to identify the server.
+A certificate obtained by an external Certificate Authority (such as
+Let's Encrypt) may be used instead.
+
+First, obtain the certificate and private key (for example using acme):
+it will be installed somewhere like `/etc/acme/<your-dns-name>`. The two
+relevant files are <your-dns-name>.key for the private key, and
+fullchain.cer for the certificate containing the full chain of trust.
+
+Then add the following configuration to the ocserv configuration file:
+
+```
+----/etc/config/ocserv-------------------------------------------
+config ocserv 'config'
+	option server_key <path-to-server-key.key>
+	option server_cert <path-to-fullchain-cert.cer>
+```
+
+

 Starting the server
 ===================
@@ -99,8 +99,8 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = /etc/ocserv/server-cert.pem
-server-key = /etc/ocserv/server-key.pem
+server-cert = |SERVER_CERT|
+server-key = |SERVER_KEY|

 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -23,6 +23,8 @@ setup_config() {
 	config_get ping_leases  $1 ping_leases "0"
 	config_get split_dns    $1 split_dns "0"
 	config_get default_domain  $1 default_domain ""
+	config_get server_cert  $1 server_cert "/etc/ocserv/server-cert.pem"
+	config_get server_key   $1 server_key "/etc/ocserv/server-key.pem"

 	# Enable proxy arp, and make sure that ping leases is set to true in that case,
 	# to prevent conflicts.
@@ -103,6 +105,8 @@ setup_config() {
 	    -e "s~|NETMASK|~$netmask~g" \
 	    -e "s~|IPV6ADDR|~$ip6addr~g" \
 	    -e "s~|ENABLE_IPV6|~$enable_ipv6~g" \
+	    -e "s~|SERVER_CERT|~$server_cert~g" \
+	    -e "s~|SERVER_KEY|~$server_key~g" \
 	    /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf

 	test -f /etc/ocserv/ocserv.conf.local && cat /etc/ocserv/ocserv.conf.local >> /var/etc/ocserv.conf
@@ -170,9 +174,9 @@ start_service() {
 			--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
 	}

-	#generate server certificate/key
+	#generate default server certificate/key
 	[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
-		logger -t ocserv "Generating server certificate..."
+		logger -t ocserv "Generating default server certificate..."
 		mkdir -p /etc/ocserv/pki/
 		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
 		echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl