Openvpn SSL - Using Let’s Encrypt and Certbot to automate the creation of certificates for OpenVPN

Installing Certbot
Installing Certbot on a Ubuntu (Xenial) machine is as easy as: This code uses the   PPA to install the executable.

A Little tip (in case you don't know it yet):   allows the install to be non-interactive and to proceed without the need to confirm every operation from the keyboard.

From this moment on you can use the   executable.

If you want to have an idea of its capabilities you can simply run:

Generating a certificate with Certbot
Certbot uses Let's Encrypt to generate a certificate. Let's encrypt issues a certificate for your domain only if able to verify that you really own that domain and that it is associated with the public IP of the machine from which you are running certbot.

So, in order to pass the verification process, you need to have a web server running on your machine and accessible from the outside world. While Certbot supports the main web servers such as Nginx and Apache, it also features a standalone server that you can use exclusively for the verification process. This web server will run on the standard web ports (80 and 443), so if you have other services using these ports you need to stop them first.

In the case of OpenVPN you can stop its web server with: Then you can run certbot command line with the following options: Let's see briefly what every option is doing: This command generates numerous files including   and , the two files we need to use in OpenVPN. So let's link them into the proper OpenVPN folder: We link them because they will be changed in the future by the renewal process, so we are sure that OpenVPN will be always using the most updated certificate files.
 * : runs the standalone web server for the verification process.
 * : runs in totally automated mode, never asks for input.
 * : needed to make the above work, with this parameter you are confirming you agree to the terms of service.
 * : the certificate email.
 * : the certificate domain.
 * : this is needed for the auto-renewal of the certificate and describes what is the command to run before the renewal process can be executed. We are using it to stop the OpenVPN web interface.
 * : similar to the previous one, allows us to specify a command to be executed after a certificate is renewed, we use it to restart the OpenVPN web interface.

And, finally, we can restart OpenVPN: After few seconds your OpenVPN website should be up and running, and with a shiny green icon indicating that the website is properly encrypted through a signed certificate, woohoo, well done!

Source: https://loige.co/using-lets-encrypt-and-certbot-to-automate-the-creation-of-certificates-for-openvpn/