Using a wildcard cert from LE, this is generated on another host for several internal domains. While I can certainly do via GUI, I'd rather add this into the existing process like the rest of my internal hosts. I've searched for a bit, dug through the file system (after uploading manually), but to no avail. Any pointers to docu?
Thanks.
--DJ
To answer my own question...the active cert and the key are concatenated at /var/etc/cert.pem. Where the source for this file is stored after adding to the GUI, I do not know. Whether I can simply overwrite this file, I am unsure.
The certificates created or imported via gui are located in configuration file /conf/config.xml under
<opnsense><ca><crt>
Thank you hbc! Exactly what I was looking for.
--DJ
To complete this for the archives:
Certs themselves are located in /conf/config.xml at <opnsense><ca><cert><refid/><desc/><crt/><prv/>...
Probably obvious, but the text that is inserted into the GUI is base64 encoded in the crt and prv fields (from CLI `cat file | openssl base64`), desc is the plain text description, and the refid value is php's uniqid (from CLI `php -r "echo uniqid();`).
The refid field is earlier used in the Web GUI config at <opnsense><system><webgui><protocol>https</protocol><ssl-certref/>
Okay, so that's easy enough - and probably easier if I spoke PHP. :-)
Only really dumb question remains. :-) How to restart/reload webgui from CLI?
--DJ
So, just to bring a completed example, after copying MyCert.crt and MyCert.key via ssh to root's home directory, I clobbed together the following script:
#!/bin/sh
UNIQID=`/usr/local/bin/php -r "echo uniqid();"`
DATE=`date +%Y%m%d`
CRT="/root/MyCert.crt"
PRV="/root/MyCert.key"
FIRSTLN=`grep -m1 -n "<cert>" /conf/config.xml | cut -d ":" -f 1`
DESCR="My Certificate $DATE"
if test -f $CRT; then
mkdir /root/certtemp
cd /root/certtemp
CRTE=`cat $CRT | /usr/bin/openssl base64`
PRVE=`cat $PRV | /usr/bin/openssl base64`
DESC="<descr>$DESCR</descr>"
CERT=`echo "<crt>$CRTE</crt>" | tr -d '\n'`
PRIV=`echo "<prv>$PRVE</prv>" | tr -d '\n'`
REFID="<refid>$UNIQID</refid>"
PATERN="\\n $REFID\\n $DESC\\n $CERT\\n $PRIV\\n <\\/cert>\\n"
echo " $REFID" > temp.txt
echo " $DESC" >> temp.txt
echo " $CERT" >> temp.txt
echo " $PRIV" >> temp.txt
echo " </cert>" >> temp.txt
echo " <cert>" >> temp.txt
cp /conf/config.xml config.xml
sed "${FIRSTLN}r temp.txt" config.xml > config.xml.tmp
sed "s@<ssl-certref>.*</ssl-certref>@<ssl-certref>${UNIQID}</ssl-certref>@" \
config.xml.tmp > config.xml.new
cp $CRT cert.pem
cat $PRV >> cert.pem
cp /conf/config.xml /conf/config.xml.$DATE
cp config.xml.new /conf/config.xml
cp /var/etc/cert.pem /var/etc/cert.pem.$DATE
cp cert.pem /var/etc/cert.pem
/usr/local/etc/rc.restart_webgui
# Cleanup
cd /root
rm -rf certtemp/
rm $CRT
rm $PRV
echo "New certificate $DESCR installed."
else
echo "Nothing to do. Exiting."
fi
This seems to work well enough. Bad me! I exceeded my weekly certs by not using the LE test environment. Obviously, this needs to be tested after my punishment (a week), but it worked locally. If anybody sees something bad, please speak up.
Thanks.
--DJ
Quote from: DJ_L on November 28, 2019, 08:55:18 AM
Only really dumb question remains. :-) How to restart/reload webgui from CLI?
--DJ
Try:
/usr/local/sbin/pluginctl webgui restart