Messages

Opened a bug ticket for this as I think if this is implemented via separate services in the native backend, then not using the preserve parameter actually is a bug.
https://github.com/opnsense/core/issues/9793

Shameless plug for a little script I wrote.

I first wanted to edit ddclient to make it more suitable for working with deSEC and OPNsense, but soon came to the conclusion that ddclient is too big and bloated.

So I wrote a little script:
https://github.com/jameskimmel/deSEC_DynDNS

Hope you guys like it, give it a try.

I looked at your script quickly and my observation is that it is completely decoupled from OPNsense logic to update the IPs when the WAN connection gets established. Why would I schedule a script with cron?
Using the custom parameter of the native backend is in my opinion the better integration into OPNsense logic as it only get's called when the IP actually changes. It also allows you to use the preserve parameters to avoid overwriting A or AAAA records id the other one is updated.
The only challenge with the custom approach is that it doesn't do error handling in case the update fails for some reason. But as a workaround, this is acceptable. I'll open a FR to get the native integration fixed.

These workarounds are exactly what I mean and what my script handles better.

Uh - I missed your post. I'll have a look at your script. Thanks!

I have just implemented it using the custom method which works well.
Documented here:
https://forum.opnsense.org/index.php?topic=50907.0

[Problem]

Problem
When using OPNsense DynDNS with deSEC, updating IPv4 (A) and IPv6 (AAAA) separately can overwrite the other record.
This is confirmed behavior and documented in the deSEC API. The fix is to use the preserve parameter and the custom updater.

IPv4 DynDNS Configuration (A Record)

Create a DynDNS entry:

Service: custom
Protocol: Custom GET
Server:

Code Select Expand

https://update.dedyn.io/?hostname=<FQDN>&myip=__MYIP__&myipv6=preserveUsername: <FQDN>
Password: <DESEC_TOKEN>
Hostname(s):<FQDN>
Check IP Method: Interface IPv4
Interface: WAN

Important Notes

__MYIP__ must be included in the URL.
OPNsense only inserts the detected IP if the placeholder exists.
myipv6=preserve ensures the AAAA record is not deleted during IPv4 updates.

IPv6 should be configured as a separate DynDNS entry using:

Code Select Expand

https://update6.dedyn.io/?hostname=<FQDN>&myipv6=__MYIP__&myipv4=preserveCheck IP Method: Interface IPv6
Interface: <one of your internal v6 assigned interfaces>

The easiest fix would be to add "preserve" to both options, so you can individually update A and AAAA without deleting the other one.
I use the native backend, not sure if ddclient haves different

Hello,
I just came across exactly the same issue.
Is this something being worked on? Did you open a FR ticket for it?
The only workaround I see right now is to create separate hosts for v4 and v6 in deSEC.
I would really love to have ab option to update both A and AAAA record in one go.
Did someone try to implement this as custom?

thanks, Till

It works on my system after upgrade.

that works. Thanks for the hint.

Can I run my own automation script in the acme plugin? It seems to only have a list of commands to choose from.
thanks! Till

I actually got this working by using trust/cert/get

Thank you Cedrik, this was a good hint.
It actually pointed me towards the generate_file action that can (according to the browser session dump) generate crt,prv and pkcs12 files.
However there are two things to notice:
- The documentation says it requires POST while the browser session uses GET
- Neither does work with cURL. CSRF issue? I only get {"status":"failed"} as a response.
Has anyone ever tried this outside of an authenticated browser session?

Thanks for your help and kind regards, Till

Hi,
according to the docs:
https://docs.opnsense.org/development/api/core/trust.html
There is a raw_dump function. I assume it can be used to export a full certificate incl private key?
When I try to use it, it returns 404.
Does it exist?
I have a dedicated "api" user with the privileges: "System: Certificate Manager"
I have successfully tested it and parsed out the UUID by using:

Code Select Expand

CERT_UUID=$(curl -s -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/search" | jq -r '.rows[] | select(.commonname == "<my common name>") | .uuid')Now when I run:

Code Select Expand

curl  -v -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/raw_dump?uuid=$CERT_UUID"it returns 404.
Any hint?
I am running on 25.1.10.

thank you!

I had a couple of situations recently where my firewall got very unresponsive on some services incl the Web UI. Logging into the Web UI then takes up to a minute.
The only thing that helped getting back to normal was a reboot then. How can I diagnose what'S going on?
Some logs on the CLI which I could monitor when it happens?
The system is a an Atom CPU C3558 @ 2.20GHz (4 cores, 4 threads) with 64Gb RAM and ZFS mirrored boot device, latest version installed, all updates.
It does run Zenarmor an I have seen mongod consuming quite some CPU cycles but normally that isn't an issue.
Any hint on how to track this down next time it happens is appreciated.
TIA!

Anyone got a hint for me?
I use the ACME client to manage a number of certificates.
I would like to have an automation that sends me an email when a particular certificate has been renewed.
Any idea how to do that?
I thought about using monit in any way for that but have no clue how.
Thanks for any hint.
-Till