Let's Encrypt with acme

Can acme be used with LetsEncrypt on Greenbone systems?
For the DNS challenge, the certificate would have to be generated directly on the appliance. However, according to the FAQ, only importing the certificate seems possible.

Sure, I think this is possible. What FAQ are you referring to? As long as the certificates end up in the right place for gvm to find them, they should be picked up by the web-server. I believe these are the default locations:

  • /var/lib/gvm/private/CA/serverkey.pem
  • /var/lib/gvm/CA/servercert.pem
  • /var/lib/gvm/CA/cacert.pem

Maybe you can use the certbot --deploy-hook to automatically place them there with the appropriate names. Something like this should work:

certbot certonly --webroot -w /path/to/your/webroot -d yourdomain.com --deploy-hook "cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem //var/lib/gvm/private/CA/serverkey.pem && cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /var/lib/gvm/private/CA/serverkey.pem/ && cp /etc/letsencrypt/live/yourdomain.com/chain.pem /var/lib/gvm/CA/cacert.pem"

You could also use an ospd-openvas.conf file to specify alternative locations for gvm to look for the cert files, specify alternative locations via the ospd command line or start gvmd with the locations specified:

 gvmd --create-scanner="OSP Scanner" --scanner-host= --scanner-port=1234 \
      --scanner-type="OSP" --scanner-ca-pub=/usr/var/lib/gvm/CA/cacert.pem \
      --scanner-key-pub=/usr/var/lib/gvm/CA/clientcert.pem \

I guess that modifying the gvmd systemd service file is the most convenient place to specify this.


Note that the description by @rippledj is valid only for the Greenbone Community Edition.

For the Greenbone Enterprise Appliances, the configuration options are limited to those described in 7 Managing the Greenbone Operating System — Greenbone Enterprise Appliance 22.04.18 documentation.