Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - toms

Pages1
#1
General Discussion / Re: Certificate management (CLI/API)
March 20, 2018, 11:14:46 PM
Hi fabian,

Seems to work to upload certificates (using your example although using python) - but this won't work for switching the certificates as system_advanced_admin.php is too heavily dependent on executed javascript to change the form to the correct values :( CSRF was only a small walk in the park, but the actual changing of the certificate won't work unfortunately.

I can scrape enough to change to the correct certificate but this isn't a viable solution in any form of way - mostly due to the form's defaults (without javascript) being too empty. Maybe I should look closer into https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php and figure out how to re-use the code from line 987 (Update certificate object) to select the uploaded cert & following restart actions.

If someone has some pointers I'd be very happy to dig further into this, otherwise we'll just schedule some human-minion-working-hours ever so often, but I'd really like to avoid that :)

Kind regards,

Tom
#2
General Discussion / Certificate management (CLI/API)
March 19, 2018, 11:59:21 AM
Hi all,

We're in the process of altering our internal certificate renewal but I'm trying to grasp the best way of doing this (programmatically). Looking through plugins/acme-client (which we also use) I've found the (plugins') certhelper.php that wraps around (cores) system_certmanager.php

As that is still php and not API exposed, what would be the best way to upload new certificates? (programatically - which might be a shell script on the firewall if curl isn't feasible)
Before asking, we'd like to do central management of the certificates instead of manually on multiple OPNsense physical appliances and a couple of virtual instances. So running acme-client on each and every box (and this is beyond only OPNsense as it includes some other services like webservers and SSL offloaders) is not an option.

Would (in some form) calling the acme-client's certhelper.php be an idea, should we (partially) change that functionality to provide our own API (which I'm happy to reshare for obvious OS-reasons) - or is there something already out there that would do this? (Again, using acme-client is not acceptible as we also still have other CA's involved - we are really looking in to renewing certificates programmatically).

Kind regards,

Tom
Pages1