As I have an external certificate server I would like to avoid to use the ACME plugin. To automate the import of renewed certificates, I have found this topic:
https://forum.opnsense.org/index.php?topic=15139.0
Seems like it could be a hassle (if not now, maybe in the future) using that provided script.
There must be a way to import a renewed certificate via command line, right? If it's possible via GUI it's possible via command line too. My question is: How? Any OPNsense expert knows how to do this?
Thank you!
I've crafted a script for cert distribution which covers OPNsense: https://github.com/bartsmit/distcerts
Bart...
That's great, thanks!
Unfortunately it does not work yet.
The php script puts the following message:
The certificate subject does not match the hostname <opnsense.mydomain.com>
CN=mydomain.com
My certificate is indeed a wildcard certificate so this should work, should it?
Quote from: Tattoofreak on January 28, 2022, 10:31:56 AM
That's great, thanks!
Unfortunately it does not work yet.
The php script puts the following message:
The certificate subject does not match the hostname <opnsense.mydomain.com>
CN=mydomain.com
My certificate is indeed a wildcard certificate so this should work, should it?
Yes, absolutely.
Is the opnsense-import-certificate.php in the same directory on the firewall where you are running the script from?
Are you root on the firewall?
Did you chmod 755 both scripts?
Yes, everything is within the /root directory in opnsense (I have also tried to run the PHP script directly on the opnsense command line with root user, btw.)
As I have already set up an acme.sh script on my own certificate server I am only using the script from here:
https://github.com/pluspol-interactive/opnsense-import-certificate
Just for clearance: My script to get the certificate looks like this:
#!/bin/sh
/root/.acme.sh/acme.sh --accountemail "foo@bar.com" --issue --dns dns_gandi_livedns -d '*.myDomain.com' -d myDomain.com
The certificate works great with all my public webservices.
Do you see any issues the way I am doing it?
Maybe the problem is that I have two domains within a single certificate? Could this confuse the php script?
e.g.
*.myDomain.com
myDomain.com
Quote from: Tattoofreak on January 28, 2022, 12:21:13 PM
Maybe the problem is that I have two domains within a single certificate? Could this confuse the php script?
e.g.
*.myDomain.com
myDomain.com
No, definitely not - all Letsencrypt wildcards have both.
Do you have the fullchain.pem and privkey.pem files in the directory as well?
I have the cert.pem and the privkey.pem inside the /root directory.
I have also tried to use the fullchain.pem instead of cert.pem but that also has the same result.
Edit: I don't have to import the certificate manually first via the GUI once, do I? Because currently there's only the default self-signed certificate installed. I guess the script it not to only update but also to import certificates from scratch, right?
Edit 2:Just FYI, my config in
System --> Settings --> General
is the following:
Hostname: opnsense
Domain: <mydomain.com>
Should be correct?
The script should import the cert regardless of any being manually set up. I see them in my trust section with a description like "Certificate added to opnsense through opnsense-import-certificate.php on <date>"
The Authorities section only has my OpenVPN CA cert in it.
My system, settings, general shows the same pattern; single word hostname and the domain from my LE wildcard.
That's very odd. I really cannot imagine what the problem is. I can only guess that maybe the "-" symbol in my domain name (my-domain.com) could be an issue.
Are you on the latest opnsense release 22.1 too?
No, I always wait a few days - upgrade scheduled for the weekend
Well maybe you are willing to test and report back after you have upgraded, that would be helpful.
Thank you so far for your help, very appreciated mate!
Upgrade was flawless with the LE cert coming across without issues.
You could import your cert manually for now and revisit once I've been through a refresh cycle.
Alright. I have imported the wildcard certificate manually via the GUI which worked flawless. The wildcard certificate also takes place without any hickup when connecting to opnsense via its hostname opnsense.mydomain.com.
It's just the PHP script not working somehow. Even now after importing the certificate manually the PHP script does still give me the same issue.