I set this up earlier today and ran into two issues: 1) `occtl reload` doesn't reload certs/keys, since they live in the perm_cfg. It would be nice if it did, just to avoid kicking off connected clients during the cert refresh every ~60-90 days. 2) I added a new worker-http-handler to ocserv that would allow it to answer ACME challenges using the widely-supported "webroot" method, only to find that webroot is forbidden on TLS connections: https://github.com/letsencrypt/letsencrypt/issues/2150 Ideally, a VPN gateway could implement ACME without having to open up port 80. Has anyone found a way around this restriction?
