OPNsense Forum
English Forums => General Discussion => Topic started by: toms on March 19, 2018, 11:59:21 am
-
Hi all,
We're in the process of altering our internal certificate renewal but I'm trying to grasp the best way of doing this (programmatically). Looking through plugins/acme-client (which we also use) I've found the (plugins') certhelper.php that wraps around (cores) system_certmanager.php
As that is still php and not API exposed, what would be the best way to upload new certificates? (programatically - which might be a shell script on the firewall if curl isn't feasible)
Before asking, we'd like to do central management of the certificates instead of manually on multiple OPNsense physical appliances and a couple of virtual instances. So running acme-client on each and every box (and this is beyond only OPNsense as it includes some other services like webservers and SSL offloaders) is not an option.
Would (in some form) calling the acme-client's certhelper.php be an idea, should we (partially) change that functionality to provide our own API (which I'm happy to reshare for obvious OS-reasons) - or is there something already out there that would do this? (Again, using acme-client is not acceptible as we also still have other CA's involved - we are really looking in to renewing certificates programmatically).
Kind regards,
Tom
-
Legacy pages are hard to use with other clients than the Web interface.
As a workaround you can write something like this:
https://github.com/fabianfrz/scripts/blob/master/OPNsense/backup_over_http.rb
Please note that the CSRF token is hard to handle in a shell script.
-
Hi fabian,
Seems to work to upload certificates (using your example although using python) - but this won't work for switching the certificates as system_advanced_admin.php is too heavily dependent on executed javascript to change the form to the correct values :( CSRF was only a small walk in the park, but the actual changing of the certificate won't work unfortunately.
I can scrape enough to change to the correct certificate but this isn't a viable solution in any form of way - mostly due to the form's defaults (without javascript) being too empty. Maybe I should look closer into https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php and figure out how to re-use the code from line 987 (Update certificate object) to select the uploaded cert & following restart actions.
If someone has some pointers I'd be very happy to dig further into this, otherwise we'll just schedule some human-minion-working-hours ever so often, but I'd really like to avoid that :)
Kind regards,
Tom
-
There is a trust API conversion PR here: https://github.com/opnsense/core/pull/2053
The problem for the team is that it is largely untested and asking for integration work / review which is hard to pull off with our limited resources.
Cheers,
Franco
-
Hello,
Any news on this topic? The mentioned PR got closed.
I'd like to be able to have an Ansible playbook use OPNSense API to fetch existing certificates.
Thanks.