Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: Mr.Goodcat on October 22, 2025, 01:20:12 PM

Title: Updated acme.sh for additional features
Post by: Mr.Goodcat on October 22, 2025, 01:20:12 PM
Hi,

the release cadence of acme.sh can be slow with gaps of up to a year. If I understand the readme correctly, one should use the latest code instead of waiting for new tags anyway:
Quoteacme.sh is in constant development, so it's strongly recommended to use the latest code.

Since the last release from April, useful new features such as the DNS API of Hurricane Electric have been added. Would it be possible to update OPNsense with the latest code from github? Thanks!
Title: Re: Updated acme.sh for additional features
Post by: Monviech (Cedrik) on October 22, 2025, 01:58:45 PM
Acme.sh repository tags a release
FreeBSD ports picks it up and bumps packet version
Opnsense ports synchronize that
New package gets built and released

Its that flow of events that must usually happen.
Title: Re: Updated acme.sh for additional features
Post by: franco on October 22, 2025, 02:21:56 PM
Using latest for new things is useful, using it for existing things is risky.

Getting fixes into FreeBSD ports is also not really an option as FreeBSD doesn't really consider downstream an important factor.

Case in point https://github.com/opnsense/ports/commit/95f5a824aa


Cheers,
Franco
Title: Re: Updated acme.sh for additional features
Post by: Mr.Goodcat on October 22, 2025, 03:12:35 PM
Thank you both for the insights! So it's either back to waiting for a new release tag or building from git myself.
Title: Re: Updated acme.sh for additional features
Post by: franco on October 22, 2025, 03:22:04 PM
As shown we can do small backports into our ports tree if they serve a purpose. Pulling in everything is not a good idea.


Cheers,
Franco

PS: Long time no see, hope you are doing good :)
Title: Re: Updated acme.sh for additional features
Post by: Mr.Goodcat on October 22, 2025, 06:13:43 PM
You're absolutely correct, pulling in everything is probably just asking for trouble. Yet, doing individual pulls for non-critical issues creates too much work for projects as big as OPNsense.

I felt somewhat naked without having 2FA activated on my Hurricane Electric account. However, as HE apparently doesn't support global access tokens, that requires ACME.sh to support record-specific API keys - which is safer anyways: https://github.com/acmesh-official/acme.sh/pull/5237 (https://github.com/acmesh-official/acme.sh/pull/5237)

Cheers,
Fabian

PS: Thank you, I'm doing great and hope you are as well! :-)
Title: Re: Updated acme.sh for additional features
Post by: franco on October 22, 2025, 08:03:42 PM
You're looking for https://github.com/acmesh-official/acme.sh/commit/0ae80272f specifically?

It probably also needs an addition to os-acme-client plugin?

Yes, doing great all things considered.  :)


Cheers,
Franco
Title: Re: Updated acme.sh for additional features
Post by: Mr.Goodcat on October 22, 2025, 08:58:18 PM
Glad to hear it! :-)

Yes, that's the commit.
I assumed it to be integrated in a way that simply takes the user/password input in ACME's challenge types. But that was overly optimistic to naive. Guess I should finally RTFM the plugin documentation^^
Text only | Text with Images