Tutorial: How to Use ACME Client to Issue Web SSL Certificates for the Access Server UI
How to install a Let's Encrypt SSL certificate for OpenVPN's Access Server web services using a domain, IP address, cluster, or failover setup.
Overview
Access Server secures its web interfaces (Admin Web UI and Client Web UI) using an SSL/TLS certificate. After installation, Access Server generates a self-signed certificate allowing you to access the web services immediately. Because the certificate is self-signed, web browsers typically show warnings such as "Unable to verify authenticity." This is expected.
This tutorial explains how to request, install, and verify a signed Let's Encrypt SSL certificate for Access Server web services using:
A domain name (FQDN).
An IP address.
A cluster deployment.
A failover deployment.
After completing these steps, most browsers will automatically trust the web interface and display a secure connection indicator (for example, a green padlock icon). Certificates are also renewed automatically by the ACME client.
Important: Using a third-party certificate authority
If you plan to install web SSL certificates manually from a third-party certificate authority (for example, DigiCert, GoDaddy, or GlobalSign), do not use the ACME client described in this tutorial.
Instead, follow the separate guide:
Tutorial: How to Install a Valid Web SSL Certificate in Access Server
If you install a manual certificate while ACME is enabled, it will be automatically replaced at the next renewal.
To prevent this, disable the ACME client service:
sacli --key "acme.enable" --value "false" ConfigPut sacli start
Important
For domain certificates (90-day duration), renewal occurs at 60 days.
For IP address certificates (160 hours / just over 6 days), renewal occurs at 3 days.
For more, refer to What is the lifetime for Let’s Encrypt certificates? For how long are they valid?
SSL certificates for web services aren't related to VPN certificates. Changing web SSL certificates does not affect VPN certificates.
Prerequisites
Access Server 3.1.0 or newer.
Console access and the ability to get root access.
Outbound traffic allowed to TCP 443.
An IP and a domain registered with your Access Server IP.
Note
In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.
Ensure you replace them with valid IPv4 addresses and subnets for your network(s).
Decide which method applies to your deployment:
Domain (FQDN): Recommended for most deployments.
IP address: Useful if you don't have a domain name. Note: IP certs are short-lived.
Cluster: Use if Access Server is deployed in a cluster.
Failover: Use if Access Server is deployed using MASTER/BACKUP failover.
Continue to the step that matches your use case.
You can include multiple Subject Alternative Names (SANs) in the same Let's Encrypt certificate when they resolve to the same Access Server instance.
Multiple domains on the same IP
If your Access Server IP is associated with more than one domain name and you want the certificate to be valid for all of them, you can include multiple domains as SANs in a single Let's Encrypt certificate.
This is useful when the same Access Server instance is accessed using different DNS names, you're migrating between domains, or you want both domains trusted in the browser.
Example:
192.0.2.5→brandon.example1.com192.0.2.5→brandon.example2.com
You can include both domains in a single certificate:
sacli --key "acme.domains.0" --value "brandon.example1.com" ConfigPut sacli --key "acme.domains.1" --value "brandon.example2.com" ConfigPut
Then continue with:
Step 2: Issue and install a web SSL certificate using a domain (FQDN)
The resulting certificate will include both DNS names under SAN.
Domain and IP in the same certificate
If you want the certificate to be valid when accessing Access Server via both its domain name and its IP address, you can include both as SANs.
This is useful if administrators or users sometimes access the Admin or Client Web UIs via IP address rather than the domain name.
Example:
192.0.2.5→brandon.example1.com
You can include both the domain and the IP in the same certificate:
sacli --key "acme.domains.0" --value "brandon.example1.com" ConfigPut sacli --key "acme.ip_addresses.0" --value "192.0.2.5" ConfigPut
Then continue with:
Step 4: Issue and install a web SSL certificate using an IP address
The resulting certificate will include both the DNS name and the IP address under SAN.
Note
The ACME client requests and installs Let’s Encrypt certificates by default.
This tutorial uses Let's Encrypt, but other Certificate Authorities (CA) that use the ACME standard are also supported, such as:
SSL.com
ZeroSSL
Google Trust Services
For more, refer to ACME CAs.
The ACME client uses the TLS-ALPN-01 challenge by default (validation over TLS on port 443). This is helpful when port 80 is unavailable. TLS-ALPN-01 can't validate wildcard domains. For more info, refer to Let's Encrypt Challenge Types.
Connect to the console and get root privileges.
Assign the domain that will receive the Let's Encrypt certificate:
sacli --key "acme.domains.0" --value "brandon.example.com"1 ConfigPut
Replace
brandon.example.comwith your Access Server domain.Restart Access Server services:
sacli start
Register an account with the ACME CA:
sacli AcmeRegisterAccount
When prompted, type
yorYto accept the Terms of Service (ToS).Example output:
> Accept terms of service (ToS) for the ACME service at: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf?:y Terms of service https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf accepted {'account': 'https://acme-v02.api.letsencrypt.org/acme/acct/3034868756'}
Request the certificate:
sacli AcmeRequestCertificate
This requests and installs the Let's Encrypt web SSL certificate for Access Server.
Open the Admin Web UI and Client Web UI using the domain name.
Confirm your browser indicates the connection is trusted (for example, a secure padlock icon).
Verify in the Admin Web UI:
Click Certificate Management.
The Web Server Certificate tab is displayed.
Confirm the Let's Encrypt certificate is installed.
Optional: Click See full certificate details.
Verify from the CLI:
Connect to the console and get root privileges.
Run the following command to check the SSL certificate:
sacli ConfigQuery|grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'|openssl x509 -text -noout|head -n 11
Example output:
Certificate: Data: Version: 3 (0x2) Serial Number: 06:58:b2:75:8e:b3:c7:e7:9f:0d:88:6a:42:94:08:bc:a7:82 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = E7 Validity Not Before: Feb 5 20:44:23 2026 GMT Not After : May 6 20:44:23 2026 GMT Subject: CN = brandon.example.com
Let’s Encrypt supports IP address certificates. These certificates are valid for 160 hours (just over 6 days). This option is useful if you want a trusted web connection without using a domain name. For more, refer to IP Address Certificates with Let's Encrypt.
Connect to the console and get root privileges.
Assign the IP address that will receive the certificate:
sacli --key "acme.ip_addresses.0" --value "192.0.2.5"1 ConfigPut
Replace
192.0.2.5with your Access Server IP.Configure the certificate profile for IP certificates:
sacli --key "acme.cert_profile" --value "shortlived" ConfigPut
Restart Access Server services:
sacli start
Register an account with the ACME CA:
sacli AcmeRegisterAccount
When prompted, type
yorYto accept the ToS.Example output:
> Accept terms of service (ToS) for the ACME service at: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf?:y Terms of service https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf accepted {'account': 'https://acme-v02.api.letsencrypt.org/acme/acct/3034868756'}
Request the certificates from the ACME CA (Let's Encrypt):
sacli AcmeRequestCertificate
This requests and installs the Let's Encrypt web SSL certificate for Access Server.
Open the Admin Web UI and Client Web UI.
Confirm your browser indicates the connection is trusted (for example, a secure padlock icon).
Verify in the Admin Web UI:
Click Certificate Management.
The Web Server Certificate tab is displayed.
Confirm the Let's Encrypt certificate is installed.
Optional: Click See full certificate details.
Verify from the CLI:
Connect to the console and get root privileges.
Run the following command to check the SSL certificate:
sacli ConfigQuery|grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'|openssl x509 -text -noout|head
Example output:
Certificate: Data: Version: 3 (0x2) Serial Number: 06:58:b2:75:8e:b3:c7:e7:9f:0d:88:6a:42:94:08:bc:a7:82 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = YE1 Validity Not Before: Feb 5 20:44:23 2026 GMT Not After : Feb 12 20:44:23 2026 GMT
Confirm the IP appears under
SubjectAltName:sacli ConfigQuery|grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'|openssl x509 -noout -ext subjectAltName
Example output:
X509v3 Subject Alternative Name: IP Address:192.0.2.5
Important
Cluster supports the TLS-ALPN-01 challenge only.
This section covers two cluster scenarios:
Scenario 1: Two nodes, each with its own domain (
node1.example.com,node2.example.com).Scenario 2: Two nodes using round-robin DNS (RR-DNS) (for example,
rrdns-nodes.example.com).
Cluster scenario 1 — two nodes with separate domain names
Connect to Node1 and get root privileges.
Set the node responsible for ACME requests and renewals:
sacli --key "acme.node" --value "Node1" ConfigPut
(Optional) If you need the exact node name:
sacli ConfigQuery | grep "node.name"
Assign the domains for both nodes:
sacli --key "acme.domains.0" --value "node1.example.com" ConfigPut sacli --key "acme.domains.1" --value "node2.example.com" ConfigPut
Restart services on Node1:
sacli start
Register the ACME account:
sacli AcmeRegisterAccount
When prompted, type
yorYto accept the ToS.Example output:
> Accept terms of service (ToS) for the ACME service at: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf?:y Terms of service https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf accepted {'account': 'https://acme-v02.api.letsencrypt.org/acme/acct/3034868756'}
Request the certificates from the ACME CA (Let's Encrypt):
sacli AcmeRequestCertificate
The web SSL certificates from Let's Encrypt are now requested and installed in your Access Server.
Cluster scenario 2 — RR-DNS domain for multiple nodes
Connect to Node1 and obtain root privileges.
Set Node1 as responsible for ACME requests and renewals:
sacli --key "acme.node" --value "Node1" ConfigPut
(Optional) Confirm node name:
sacli ConfigQuery | grep "node.name"
Assign the RR-DNS domain:
sacli --key "acme.domains.0" --value "rrdns-nodes.example.com" ConfigPut
Restart services on Node1:
sacli start
Register the ACME account:
sacli AcmeRegisterAccount
When prompted, type
yorYto accept the ToS.Example output:
> Accept terms of service (ToS) for the ACME service at: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf?:y Terms of service https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf accepted {'account': 'https://acme-v02.api.letsencrypt.org/acme/acct/3034868756'}
Request the certificates from the ACME CA (Let's Encrypt):
sacli AcmeRequestCertificate
The web SSL certificates from Let's Encrypt are now requested and installed in your Access Server.
On each node, verify in the Admin Web UI:
Click Certificate Management.
The Web Server Certificate tab is displayed.
Confirm the Let's Encrypt certificate is installed.
Optional: Click See full certificate details.
Verify from the CLI on each node:
sacli ConfigQuery|grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'|openssl x509 -text -noout|head -n 11
Example output:
Certificate: Data: Version: 3 (0x2) Serial Number: 06:58:b2:75:8e:b3:c7:e7:9f:0d:88:6a:42:94:08:bc:a7:82 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = E7 Validity Not Before: Feb 5 20:44:23 2026 GMT Not After : May 6 20:44:23 2026 GMT Subject: CN = rrdns-nodes.example.com
If using multiple domains, confirm
SubjectAltNameincludes the expected domains:sacli ConfigQuery|grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'|openssl x509 -noout -ext subjectAltName
Example output:
X509v3 Subject Alternative Name: DNS:node1.example.com, DNS:node2.example.com
Important
When using ACME in a cluster, you must configure the node responsible for certificate requests and renewals (for example, Node1).
If you remove that node from the cluster, assign a new node using acme.node. Example:
On the new node (for example, Node2), set it as the ACME node:
sacli --key "acme.node" --value "Node2" ConfigPut
Restart services on all cluster nodes:
sacli start
Connect to the MASTER node console and get root privileges.
Assign the domain that will receive the certificate:
sacli --key "acme.domains.0" --value "brandon-failover.example.com"1 ConfigPut
Replace
brandon-failover.example.comwith your Access Server domain.Restart services:
sacli start
Register the ACME account:
sacli AcmeRegisterAccount
When prompted, type
yorYto accept the ToS.Example output:
> Accept terms of service (ToS) for the ACME service at: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf?:y Terms of service https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf accepted {'account': 'https://acme-v02.api.letsencrypt.org/acme/acct/3034868756'}
Request the certificate:
sacli AcmeRequestCertificate
The web SSL certificates from Let's Encrypt are now requested and installed in your Access Server.
Verify in the Admin Web UI:
Click Certificate Management.
The Web Server Certificate tab is displayed.
Confirm the Let's Encrypt certificate is installed.
Optional: Click See full certificate details.
Verify from the CLI:
Connect to the console and get root privileges.
Run the following command to check the SSL certificate:
sacli ConfigQuery|grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'|openssl x509 -text -noout|head -n 11
Example output:
Certificate: Data: Version: 3 (0x2) Serial Number: 06:58:b2:75:8e:b3:c7:e7:9f:0d:88:6a:42:94:08:bc:a7:82 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Let's Encrypt, CN = E8 Validity Not Before: Feb 5 20:44:23 2026 GMT Not After : May 6 20:44:23 2026 GMT Subject: CN = brandon-failover.example.com
If failover is triggered, repeat the same verification on the new MASTER node.