avatar
oxasploits
one zero day at a time
  • HOME
  • ABOUT
  • SPONSORS
  • SERVICES
  • HOSTING
  • CATEGORIES
  • PROJECTS
  • EXPLOITS
  • UPTIME
  • GITHUB
  • PRIVACY
  • PREVIOUS ENEAVORS
  • ARCHIVES
Home Assigning a valid SSL cert to HTTPS secure a VPN host
Post

Assigning a valid SSL cert to HTTPS secure a VPN host

By Marshall Whittaker
Posted Jul 12 4 min read
ssl certificate vpn lan host subdomain opnvpn openssl https letsencrypt acme

VPN HTTPS

The Problem

So you want to assign a valid SSL certificate to a host on a VPN, on which you have a subdomain under a domain that you have zonefile access to, where the subdomain points to your host’s VPN IP, and the host requires a working HTTPS server. The issue comes into play when you try to use certbot/letsencrypt/[insert ACME client here] to generate the fullchain and private key, because on challenge response, we’re obviously unable to reach our host from the internet to validate the ACME transaction, on account of the host being on a private subnet (a class A/B/C network, hosted by the VPN). This gives you a chicken and the egg style scenario, where you’re unable to generate the required fullchain/privkey pair needed to activate SSL/TLS on your HTTPS server because it cannot be remotely accessed.

Note: This is more of a conceptual walkthrough on the ideas necessary to get this working. Some technical knowledge of your specific setup (such as details of your own networks, and the skill required to edit your server’s config files for both the webserver hosting the challenge response, as well as the server’s config where you will be plugging in the generated fullchain/privkey pair, and basic operating system use) is going to be necessary and will be specifically omitted in this write-up!

Requirements

  • Publicly accessable (internet facing) server that is pointed to by your DNS provider via an A record.
  • An HTTP server on the VPN that you would like to be able to access securely via HTTPS (or other service you would like to serve only to VPN clients, with valid SSL).
  • Certbot or other ACME client and account.
  • Working VPN where clients can access each other, as well as the internet (This can be OpenVPN, Wiregaurd, whatever).
  • The priveledges necessary to edit your domain’s zonefile, so that you can add/modify an A record in your DNS provider’s config.
  • High enough priveledges on both servers to be able to alter webserver config files, and run certbot. This normally requires root.
  • Some basic technical knowledge of webservers, Linux (copying files/editing configs/restarting services, etc), DNS protocol, ACME clients, and VPNs.

Modifying Your Zonefile

Note: I will hereafter refer to the public facing primary domain’s server as ServerA, and the server behind the VPN that you want to add HTTPS to as ServerB.

First you will need to locate ServerB. You probably already have it configured with an IP from some internal block in one of the aforementioned A/B/C ranges. You should write this IP down, because you will need it later! Once located, you can copy the internet facing IP of ServerA into the A record for ServerB (this is temporary). Save your changes in your provider’s DNS panel, wait a couple minutes then ping both subdomain and toplevel domain and make sure they both are resolving to the internet facing IP now.

Use ACME Protocol

You should first set up a virtual HTTP host in your chosen webserver, so that when the ACME protocol connects to it, it sees that there is a webserver online and can connect to it and is able to pull data from the specific subdomain that you’re wanting to set up HTTPS on. You can go ahead and run certbot, or whatever other ACME client you’re using.

It should look something like: sudo certonly --standalone -d box.oxasploits.com.

It will add our necessary .pem files to /etc/letsencrypt/live/box.oxasploits.com/.

Installing Keys

You will probably need to copy the files to your home dir somewhere you can find them, then change the permissions before you can easily download them, then put them on ServerB.

So do: sudo cp /etc/letsencrypt/live/box.oxasploits.com/*.pem ~/ && sudo chown you:you ~/*.pem.

Now you can move to ServerB and perform: scp "yoursite.com:*.pem" ~/.

Then: sudo cp ~/fullchain.pem ~/privkey.pem /etc/ssl/.

Finally make sure the permissions are correct on the files: sudo chown root:root /etc/ssl/*.pem && sudo chmod u=rw,g=r,o-rwx /etc/ssl/*.pem.

Now you should be set with new working fullchain and private key, and are ready to install them in ServerB’s webserver config.

You should now swap back in the original IP from the VPN’s subnet to ServerB on your zonefile (in your Domain Name provider’s config panel most likly).

This should give you a working configurlation where your VPN’s server is now serving data with a valid certificate and you can connect to it securely! I hope you enjoyed my write-up, if you have any issues or comments, please feel free to email me!

If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qq7vvwfe7760s3dm8uq28seck465h3tqp3fjq4l

Thank you so much and happy hacking!
blueteam
This post is licensed under CC BY 4.0 by the author.
Share
Recently Updated
  • Peripheral network reconnaissance OSINT
Trending Tags
exploit vulnerabilities PoC 0day code-injection config perl RCE walkthrough bitcoin


  

Further Reading

Mar 30, 2021

Creating a secured terminal paste tool

Background Having a disuccsion with a friend about termbin and that the only viable improvement to the system would most probably be in/out encryption, (src hosted at github). Enter me, a bored...

Jun 16, 2021

Networks with OpenVPN and Suricata

Intro Most of my recent posts have been centered around red team security, but this article will be more from a blue team perspective of network security. I’ll cover setting up an offsite server...

Dec 30, 2021

Iptables Configuration Tips and Tricks

Intro The built-in (kernel level) linux firewall, iptables, can be daunting to attempt to use, however is a simple redirection filter in practice. I have used iptables from everything from secur...

Designing an OpenAI powered IRC Chat Bot for Fun and Profit

-

© 2025 Marshall Whittaker. Some rights reserved.

| Home | Services | Hosting | About
| GitHub | Projects | Exploits | Services | Sponsors | Privacy|
| Endeavors | Status | Franklin | SPaste |