I'm seeking to reestablish wildcard certs through Let's Encrypt using the ACME client. My DNS provider (and registrar) is EasyDNS. On pfSense, EasyDNS was listed in the DNS challenge section as a provider and it just worked. I think I had my wildcard cert established in under a minute of my first attempt.
OPNsense does not list EasyDNS as a DNS provider in the challenge set up. When I migrated (21.1) I let it go to figure out later. Later is now.
I'm no developer, but I've been a CLI guy for over 30 years, and from what I can see EasyDNS is included in the ACME client package OPN is using, and is present in both the examples and the running folders:
root@OPN:/usr/local/share/examples/acme.sh/dnsapi # ls -l dns_easydns.sh
-r-xr-xr-x 1 root wheel 4426 Feb 4 00:53 dns_easydns.sh
root@OPN:/var/db/acme/.acme.sh/dnsapi # ls -l dns_easydns.sh
-r-xr-xr-x 1 root wheel 4426 Feb 4 00:53 dns_easydns.sh
Searching has not led me to specific answers about easydns, nor have I had the right search terms to find a information speaking about how particular API clients might be enabled or disabled in OPN. I have found others posting where the OPN GUI offers APIs which are not supported by the installed ACME (https://forum.opnsense.org/index.php?topic=18476.0 (https://forum.opnsense.org/index.php?topic=18476.0)) but that's the opposite of my issue (and I've seen comments not to do what the OP did in that thread).
Do I have any options here to get this DNS API working in a "clean" way, supported in config backups and across updates/upgrades? (like it did, and still appears to, in pfSense).
If not "clean", I'm open to recommendations on the "least unclean" ways to do this automatically.
A little more digging...
It looks like config.xml records a pointer to the chosen DNSAPI (based on whatever is available in the GUI) plus configuration values for every one of the available options (whether they are used or not). My guess is that if easydns was permitted in the GUI, then easydns entries would also need to become part of the config.xml (regardless of whether selected for use).
So - not sure if it's just a case of only certain DNSAPIs were selected by OPN developers to include based on anticipated demand(?) and there's not a whole lot to be done other than to request that additional DNSAPIs get GUI and config support? (or do it manually, or do outside of OPNsense using cron and my own scripts which will likely get nuked on upgrade)
<dns_service>dns_nsupdate</dns_service>
<dns_sleep>120</dns_sleep>
<dns_autodns_user/>
<dns_autodns_password/>
<dns_autodns_context/>
<dns_aws_id/>
<dns_aws_secret/>
<dns_azuredns_subscriptionid/>
<dns_azuredns_tenantid/>
<dns_azuredns_appid/>
<dns_azuredns_clientsecret/>
<dns_cf_email/>
<dns_cf_key/>
<dns_cf_token/>
<dns_cf_account_id/>
<dns_cloudns_auth_id/>
<dns_cloudns_sub_auth_id/>
<dns_cloudns_auth_password/>
<dns_cx_key/>
<dns_cx_secret/>
<dns_cyon_user/>
<dns_cyon_password/>
<dns_da_key/>
<dns_da_insecure>1</dns_da_insecure>
<dns_ddnss_token/>
<dns_dgon_key/>
<dns_dnsimple_token/>
<dns_doapi_token/>
<dns_do_pid/>
<dns_do_password/>
<dns_domeneshop_token/>
<dns_domeneshop_secret/>
Quote from: surly on March 09, 2022, 11:40:25 AM
Do I have any options here to get this DNS API working in a "clean" way, supported in config backups and across updates/upgrades? (like it did, and still appears to, in pfSense).
If not "clean", I'm open to recommendations on the "least unclean" ways to do this automatically.
This is something I'm wondering about too, did you get any closer to figuring it out?
In my case I set up a local CA with step-ca (https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/) and I'm trying to figure out how to get it working with OPNSense.
I created a thread here https://forum.opnsense.org/index.php?topic=33256.