OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: peterdeg on December 25, 2022, 05:02:52 am

Title: ACME sftp automation
Post by: peterdeg on December 25, 2022, 05:02:52 am

Does anyone have simple, step-by-step instructions on getting the sftp automation to work? It's doing my head in.  :-\
I just want to upload the new certs to a folder on an Ubuntu box.

Going in circles as to what to put in the 'Host Key' field and what I need to do on the Ubuntu box itself.

User to be used on Ubuntu has been created and I can successfully log in as it via command-line ssh and sftp.

TIA

Title: Re: ACME sftp automation
Post by: peterdeg on December 28, 2022, 02:40:54 am

Ok, think I've got it working (well, I got the green "Connection and upload test successful" message)
I didn't take full notes as I've been trying all sorts of things over the last week, but I think this is how I did it  ::)
(Intermediate steps may be missing)

• On the ubuntu box, create a user id (non admin), for opnsense to log into using sftp
• ssh into the firewall and get the contents of /var/etc/acme-client/sftp-config/id.ecdsa.pub
• ssh into the ubuntu box as the id that will be used by opnsense acme for the sftp.
• Add the contents of the id.ecdsa.pub file to the .ssh/authorized_keys file.
• ssh into the firewall as admin account.
• sudo su - to get the opnsense menu
• Option 8 to get the shell
• sftp to the ubuntu box as the id that will be used by opnsense acme for the sftp.
• Enter 'yes' to accept the fingerprint
• On the acme automations gui, create the new automation and select the 'upload certificate via SFTP' Run Command.
  
  • SFTP Host - the host name of the ubuntu box
  • Host Key - leave blank
  • Username - the id that will be used by opnsense acme for the sftp
  • Identity Type - leave as ECDSA
  • Remote Path - leave blank.
  • Hit 'Save' (possibly overkill)
  • Re-edit the automation and hit the 'Test Connection' button

Title: Re: ACME sftp automation
Post by: GregTheHun on May 12, 2023, 10:03:13 pm

If there are any errors, do you know where you can find the logs for the automations?

Title: Re: ACME sftp automation
Post by: stefan21 on December 29, 2023, 07:07:57 pm

Well, I know old topic, old thread.

Anyway, after searching and googling for days I have to push this up hoping someone jumps on.

Here is what works:

From the cli of the opnsense:

#:/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --host=192.168.xx.15 --user=xx test-connection
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-khpkxO' 'sftp-upload-khpkxO'
INFO: SFTP: Uploading /tmp/sftp-upload-khpkxO to /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> rm '/home/xx/sftp-upload-khpkxO'
INFO: SFTP: Removing /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> exit
{
    "actions": [
        "connecting",
        "connected",
        "upload-testing",
        "upload-tested"
    ],
    "success": true,
    "remote": {
        "host": "192.168.xx.15",
        "port": 22,
        "user": "xx",
        "path": "/home/xx"
    }
}

and:

#:/usr/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --certificates=mail.xx.de --host=192.168.xx.15 --user=xx
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: stat remote: No such file or directory
INFO: Creating remote directory: /home/xx/mail.xx.de
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> mkdir '/home/xx/mail.xx.de'
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-f1fIwZ' 'ca.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-f1fIwZ to /home/xx/mail.xx.de/ca.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-6ytT6R' 'cert.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-6ytT6R to /home/xx/mail.xx.de/cert.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-PZO74I' 'fullchain.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-PZO74I to /home/xx/mail.xx.de/fullchain.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-SgMDcZ' 'key.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-SgMDcZ to /home/xx/mail.xx.de/key.pem
INFO: SFTP: sftp> exit

Further:

On the target server:

ls -la mail.xx.de/
insgesamt 28
drwxr-xr-x 2 xx xx 4096 29. Dez 19:01 .
drwx------ 7 xx xx 4096 29. Dez 19:01 ..
-rw------- 1 xx xx 3750 29. Dez 19:01 ca.pem
-rw------- 1 xx xx 1537 29. Dez 19:01 cert.pem
-rw------- 1 xx xx 5287 29. Dez 19:01 fullchain.pem
-rw------- 1 xx xx  288 29. Dez 19:01 key.pem

All there - the let's encrypt cert was copied.

Question: why on heavens earth does this not work using the gui acme automation? What's wrong here?

I'm stuck. Any help is greatly appreciated. 

Title: Re: ACME sftp automation
Post by: stefan21 on December 30, 2023, 11:34:19 pm

Duhhh, stupid me!

I copied a certificate and forgot to change the automation.

Sorry for the whistle, all working as expected.