SSTP VPN with Let’s Encrypt certificates

- Diesen Artikel auf Deutsch lesen. -

SSTP requires an SSL certificate accepted by the client. If you have an internal certificate authority, you can use this. The only thing that must be ensured is that the client can also reach the blacklist on the Internet. Many fail with this requirement. So why not use another certificate, for example a free one from Let’s encrypt.

02a4563c0fb44852a2fefce4e3a9b74b SSTP VPN with Let's Encrypt certificates 1

This article requires a Microsoft Windows Routing and RAS Server with configured SSTP VPN. If you don’t have it installed yet, I recommend you have a look at the article: VPN Server with Windows Server 2022.

Installing Let’s Encrypt certificates

To control Let’s Encrypt I use the appropriate PowerShell module Posh-ACME. The easiest way to install it is via the PowerShell Gallery. To do this, execute the following commands in a PowerShell session with administrative privileges:

Install-PackageProvider -Name NuGet -Force
Install-Module -Name Posh-ACME -Scope AllUsers
20211111 RAS2022 RRAS LetsEncrypt 01 SSTP VPN with Let's Encrypt certificates 3

Now the certificate is requested. During this process, a corresponding check entry must be entered in the DNS. The required entry is displayed by the PowerShell script. So make sure you have access to the configuration of the DNS zone you want to use. And watch out for typos. Also remember that changes in the DNS sometimes take a little longer, so better have a coffee after the change. The commands are:

Set-PAServer LE_Prod
New-PACertificate -Domain "vpnhost.domain.tld" -Contact "[email protected]" -CertKeyLength ec-256 -AcceptTOS -Install
20211111 RAS2022 RRAS LetsEncrypt 02 SSTP VPN with Let's Encrypt certificates 5

Now you can also see the corresponding certificate in the certificate management for computers. As usual with Let’s Encrypt, the duration is only 3 months.

20211111 RAS2022 RRAS LetsEncrypt 03 SSTP VPN with Let's Encrypt certificates 7

To make sure that the VPN server uses the right certificate, we need some PowerShell again:

$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "vpnhost.domain.tld"}
Import-Module RemoteAccess
Stop-Service RemoteAccess
Set-RemoteAccess -SslCertificate $cert
Start-Service RemoteAccess
20211111 RAS2022 RRAS LetsEncrypt 04 SSTP VPN with Let's Encrypt certificates 9

Renewing Certificates

The renewal can be done easily with the command “Submit-Renewal”, but only 5 weeks before expiration. But also here the configuration for the certificate assignment has to be done again. The background is that Let Encrypt issues new certificates instead of renewing the existing ones

The script to be created must be executed as a scheduled task in the same user context (including administrative rights!) as the request. Otherwise, the ACME profile with the required information is missing. A sample script could look like this:

Import-Module RemoteAccess
Stop-Service RemoteAccess
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "vpnhost.domain.tld" -and $_.NotBefore -lt $(Get-Date) -and $_.NotAfter -gt $(Get-Date) }
Set-RemoteAccess -SslCertificate $cert
Start-Service RemoteAccess

Leave a comment