OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: peterdeg on December 25, 2022, 05:02:52 am
-
Does anyone have simple, step-by-step instructions on getting the sftp automation to work? It's doing my head in. :-\
I just want to upload the new certs to a folder on an Ubuntu box.
Going in circles as to what to put in the 'Host Key' field and what I need to do on the Ubuntu box itself.
User to be used on Ubuntu has been created and I can successfully log in as it via command-line ssh and sftp.
TIA
-
Ok, think I've got it working (well, I got the green "Connection and upload test successful" message)
I didn't take full notes as I've been trying all sorts of things over the last week, but I think this is how I did it ::)
(Intermediate steps may be missing)
- On the ubuntu box, create a user id (non admin), for opnsense to log into using sftp
- ssh into the firewall and get the contents of /var/etc/acme-client/sftp-config/id.ecdsa.pub
- ssh into the ubuntu box as the id that will be used by opnsense acme for the sftp.
- Add the contents of the id.ecdsa.pub file to the .ssh/authorized_keys file.
- ssh into the firewall as admin account.
- sudo su - to get the opnsense menu
- Option 8 to get the shell
- sftp to the ubuntu box as the id that will be used by opnsense acme for the sftp.
- Enter 'yes' to accept the fingerprint
- On the acme automations gui, create the new automation and select the 'upload certificate via SFTP' Run Command.
- SFTP Host - the host name of the ubuntu box
- Host Key - leave blank
- Username - the id that will be used by opnsense acme for the sftp
- Identity Type - leave as ECDSA
- Remote Path - leave blank.
- Hit 'Save' (possibly overkill)
- Re-edit the automation and hit the 'Test Connection' button
-
If there are any errors, do you know where you can find the logs for the automations?
-
Well, I know old topic, old thread.
Anyway, after searching and googling for days I have to push this up hoping someone jumps on.
Here is what works:
From the cli of the opnsense:
#:/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --host=192.168.xx.15 --user=xx test-connection
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-khpkxO' 'sftp-upload-khpkxO'
INFO: SFTP: Uploading /tmp/sftp-upload-khpkxO to /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> rm '/home/xx/sftp-upload-khpkxO'
INFO: SFTP: Removing /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> exit
{
"actions": [
"connecting",
"connected",
"upload-testing",
"upload-tested"
],
"success": true,
"remote": {
"host": "192.168.xx.15",
"port": 22,
"user": "xx",
"path": "/home/xx"
}
}
and:
#:/usr/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --certificates=mail.xx.de --host=192.168.xx.15 --user=xx
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: stat remote: No such file or directory
INFO: Creating remote directory: /home/xx/mail.xx.de
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> mkdir '/home/xx/mail.xx.de'
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-f1fIwZ' 'ca.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-f1fIwZ to /home/xx/mail.xx.de/ca.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-6ytT6R' 'cert.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-6ytT6R to /home/xx/mail.xx.de/cert.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-PZO74I' 'fullchain.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-PZO74I to /home/xx/mail.xx.de/fullchain.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-SgMDcZ' 'key.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-SgMDcZ to /home/xx/mail.xx.de/key.pem
INFO: SFTP: sftp> exit
Further:
On the target server:
ls -la mail.xx.de/
insgesamt 28
drwxr-xr-x 2 xx xx 4096 29. Dez 19:01 .
drwx------ 7 xx xx 4096 29. Dez 19:01 ..
-rw------- 1 xx xx 3750 29. Dez 19:01 ca.pem
-rw------- 1 xx xx 1537 29. Dez 19:01 cert.pem
-rw------- 1 xx xx 5287 29. Dez 19:01 fullchain.pem
-rw------- 1 xx xx 288 29. Dez 19:01 key.pem
All there - the let's encrypt cert was copied.
Question: why on heavens earth does this not work using the gui acme automation? What's wrong here?
I'm stuck. Any help is greatly appreciated.
-
Duhhh, stupid me!
I copied a certificate and forgot to change the automation.
Sorry for the whistle, all working as expected.