From 32e19144eb063759794b9d0bc6f8d6acfe440de6 Mon Sep 17 00:00:00 2001
From: Jack Lovell <jacklovell1990@gmail.com>
Date: Sun, 31 May 2026 15:49:39 +0100
Subject: [PATCH] ocserv: support custom server SSL certificate

Add UCI options for the path to the server's SSL certificate and
private key. This enables the use of a certificate provided by an
external certificate authority instead of the default self-signed
certificate.

The self-signed certificate is still produced if it doesn't already
exist, and is used by default. So this change should be transparent to
existing users.

Fixes #23099.

Signed-off-by: Jack Lovell <jacklovell1990@gmail.com>
---
 net/ocserv/Makefile                   |  2 +-
 net/ocserv/README                     | 27 ++++++++++++++++++++++++++-
 net/ocserv/files/ocserv.conf.template |  4 ++--
 net/ocserv/files/ocserv.init          |  8 ++++++--
 4 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index c0c001f9b28d78..89b60055697f6d 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ocserv
 PKG_VERSION:=1.3.0
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_BUILD_FLAGS:=no-mips16
 
 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
diff --git a/net/ocserv/README b/net/ocserv/README
index a883a07667755d..995c6eb9261f99 100644
--- a/net/ocserv/README
+++ b/net/ocserv/README
@@ -7,7 +7,10 @@ It is recommended to setup a dynamic DNS address with openwrt prior
 to starting the server. That is because during the first startup
 a certificate file which will contain the dynamic DNS name will be
 created. You can always regenerate the certificate by deleting
-/etc/ocserv/server-key.pem.
+/etc/ocserv/server-key.pem. Alternatively, an externally-supplied
+certificate may be provided (obtained for example from Let's Encrypt
+using the acme package); this too will require the server's DNS name
+to match that of the certicate.
 
 There are two approaches to setup the VPN. The proxy-arp approach (1)
 which provides clients with addresses of the LAN, and the "forwarding"
@@ -179,6 +182,28 @@ config rule
 Note, that the last two rules, enable connections to port 443 from the
 Internet. That is the port used by OpenConnect VPN.
 
+Using an externally-supplied server certificate
+===============================================
+
+By default, a self-signed SSL certificate is used to identify the server.
+A certificate obtained by an external Certificate Authority (such as
+Let's Encrypt) may be used instead.
+
+First, obtain the certificate and private key (for example using acme):
+it will be installed somewhere like `/etc/acme/<your-dns-name>`. The two
+relevant files are <your-dns-name>.key for the private key, and
+fullchain.cer for the certificate containing the full chain of trust.
+
+Then add the following configuration to the ocserv configuration file:
+
+```
+----/etc/config/ocserv-------------------------------------------
+config ocserv 'config'
+	option server_key <path-to-server-key.key>
+	option server_cert <path-to-fullchain-cert.cer>
+```
+
+
 
 Starting the server
 ===================
diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template
index 0d3cc69568fa46..82c6c748fbeb4f 100644
--- a/net/ocserv/files/ocserv.conf.template
+++ b/net/ocserv/files/ocserv.conf.template
@@ -99,8 +99,8 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = /etc/ocserv/server-cert.pem
-server-key = /etc/ocserv/server-key.pem
+server-cert = |SERVER_CERT|
+server-key = |SERVER_KEY|
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init
index 63b0b4f179db94..a0218d766e9afb 100755
--- a/net/ocserv/files/ocserv.init
+++ b/net/ocserv/files/ocserv.init
@@ -23,6 +23,8 @@ setup_config() {
 	config_get ping_leases  $1 ping_leases "0"
 	config_get split_dns    $1 split_dns "0"
 	config_get default_domain  $1 default_domain ""
+	config_get server_cert  $1 server_cert "/etc/ocserv/server-cert.pem"
+	config_get server_key   $1 server_key "/etc/ocserv/server-key.pem"
 
 	# Enable proxy arp, and make sure that ping leases is set to true in that case,
 	# to prevent conflicts.
@@ -103,6 +105,8 @@ setup_config() {
 	    -e "s~|NETMASK|~$netmask~g" \
 	    -e "s~|IPV6ADDR|~$ip6addr~g" \
 	    -e "s~|ENABLE_IPV6|~$enable_ipv6~g" \
+	    -e "s~|SERVER_CERT|~$server_cert~g" \
+	    -e "s~|SERVER_KEY|~$server_key~g" \
 	    /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
 
 	test -f /etc/ocserv/ocserv.conf.local && cat /etc/ocserv/ocserv.conf.local >> /var/etc/ocserv.conf
@@ -170,9 +174,9 @@ start_service() {
 			--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
 	}
 
-	#generate server certificate/key
+	#generate default server certificate/key
 	[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
-		logger -t ocserv "Generating server certificate..."
+		logger -t ocserv "Generating default server certificate..."
 		mkdir -p /etc/ocserv/pki/
 		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
 		echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl