ocserv: UCI option to use alternative SSL certificate instead of self-signed one

[jacklovell]

Maintainer: @nmav (find it by checking history of the package Makefile) Environment: mips_24kc, BT Home Hub 5 (lantiq/xrx200), OpenWrt 23.05.2 r23630-842932a63d

Description:

It is useful to be able to use a Let's Encrypt SSL certificate for ocserv. Currently the package generates a self-signed certificate and private key on first run, which then needs to be imported into all clients which can be inconvenient/cumbsersome. The acme package can automatically manage Let's Encrypt certificates which get placed in /etc/ssl/acme: it would be nice to have a UCI option to tell ocserv to use one of these certificates instead of its self-signed one.

Currently there are a few ways of accomplishing this which require modifications outside of UCI and all of which seem like they violate at least 1 best-practice guideline for configuring OpenWRT:

1. Delete the generated server-key.pem and server-cert.pem files and replace with symlinks to the certificates desired.
2. Run acme.sh outside of the OpenWRT acme package (i.e. not using /etc/init.d/acme) and manually configure it to place the certificate at /etc/ocserv/server-cert.pem, so that acme updates the certificate from then on.
3. Modify /etc/ocserv/ocserv.conf.template to update the path: this means ignoring the warning at the start of that file to put customisations in /etc/ocserv/ocserv.conf.local instead.

Would it be possible to add a UCI configuration option for the user to specify the path to the desired certificate and private key? This could then also be set in LUCI which would be more user-friendly than the alternatives described above.

[nmav]

Integrating with letsencrypt would be great. Would you like to submit a patch?

[brada4]

You can change -f ...pem to -e ...pem in init script and replace cert location with symlink to acme products.

[jacklovell]

I'm happy to give this a go, but I can't dedicate any time to it for a few weeks yet.