Messages

[after]

Using the ACME plugin, I am wondering if there is a way to make sure in what order automations are being executed whenever a certificate is being renewed.

Example: I made a custom script/automation which reloads the apache server on a remote Linux webserver. How can I be sure this automation is being executed after the sftp automation which uploads the certificate to that specific remote Linux webserver?

Thank you!

[<myBackend(Pool)>]

@TheHellSite
Maybe you would also like on how to enable Websockets on your frontend(s) if your incoming clients are looking for such one(s). Websockets are basically used for example for streaming services over web. I was looking for so long on how to resolve my problem for making HAProxy work with Synology's DS Cam Android app which tries to connect from remote to the Synology Surveillance Station NAS behind HAProxy and I finally found out. You have to insert the following on your frontend (where you have to replace <myBackend(Pool)> with your according backend, of course):

Code Select Expand

acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend <myBackend(Pool)> if is_websocket

Here's the link to my original and solved issue:
https://www.synoforum.com/threads/connecting-synology-ds-cam-android-app-to-synology-surveillance-station-through-opnsense-haproxy-plugin.7969/

Hast du je herausgefunden wie das geht mit der Synology? Ich stehe vor dem selben Problem!

Alright. I have imported the wildcard certificate manually via the GUI which worked flawless. The wildcard certificate also takes place without any hickup when connecting to opnsense via its hostname opnsense.mydomain.com.
It's just the PHP script not working somehow. Even now after importing the certificate manually the PHP script does still give me the same issue.

Well maybe you are willing to test and report back after you have upgraded, that would be helpful.
Thank you so far for your help, very appreciated mate!

That's very odd. I really cannot imagine what the problem is. I can only guess that maybe the "-" symbol in my domain name (my-domain.com) could be an issue.
Are you on the latest opnsense release 22.1 too?

[System --> Settings --> General]

I have the cert.pem and the privkey.pem inside the /root directory.
I have also tried to use the fullchain.pem instead of cert.pem but that also has the same result.

Edit: I don't have to import the certificate manually first via the GUI once, do I? Because currently there's only the default self-signed certificate installed. I guess the script it not to only update but also to import certificates from scratch, right?

Edit 2:Just FYI, my config in
System --> Settings --> General
is the following:

Hostname: opnsense
Domain: <mydomain.com>

Should be correct?

Maybe the problem is that I have two domains within a single certificate? Could this confuse the php script?

e.g.

*.myDomain.com
myDomain.com

[/root]

Yes, everything is within the /root directory in opnsense (I have also tried to run the PHP script directly on the opnsense command line with root user, btw.)

As I have already set up an acme.sh script on my own certificate server I am only using the script from here:
https://github.com/pluspol-interactive/opnsense-import-certificate

Just for clearance: My script to get the certificate looks like this:

Code Select Expand

#!/bin/sh
/root/.acme.sh/acme.sh --accountemail "foo@bar.com" --issue --dns dns_gandi_livedns -d '*.myDomain.com' -d myDomain.com

The certificate works great with all my public webservices.

Do you see any issues the way I am doing it?

That's great, thanks!
Unfortunately it does not work yet.
The php script puts the following message:

The certificate subject does not match the hostname <opnsense.mydomain.com>
CN=mydomain.com

My certificate is indeed a wildcard certificate so this should work, should it?

As I have an external certificate server I would like to avoid to use the ACME plugin. To automate the import of renewed certificates, I have found this topic:
https://forum.opnsense.org/index.php?topic=15139.0
Seems like it could be a hassle (if not now, maybe in the future) using that provided script.
There must be a way to import a renewed certificate via command line, right? If it's possible via GUI it's possible via command line too. My question is: How? Any OPNsense expert knows how to do this?

Thank you!

Anyone?

I'm wondering if it is even possible to catch URL based packets when Public Services Type is set to TCP? Would this work?

[OPNsense settings:]

Thank you for this tutorial.
Unfortunately my requirements are a bit different.
Basically, what I want to do, is:

I want to set up HAProxy just for routing traffic based on URLs (https://xyz.domain.com goes to server 1 and https://abc.domain.com goes to server 2, etc...).
All SSL stuff for the destination web servers is being handled by a separate Linux certificate server and the web servers themselfes, independent from OPNsense/HAProxy. HAProxy is really only needed for routing traffic based on URLs, nothing more, nothing less.

The websites are all working when I use NAT rules, but I was not able yet to make it run with HAProxy in between.

For testing it with just one webserver, I have configured the following:

OPNsense settings:

System --> Settings --> Administration:
TCP port: 4443

Firewall --> Rules --> WAN:
Protocol: IPv4/TCP | Source: any | Port: Any | Destination: This Firewall | Port: 80 (HTTP) | Rule: Pass
Protocol: IPv4/TCP | Source: any | Port: Any | Destination: This Firewall | Port: 443 (HTTPS) | Rule: Pass

HAProxy settings (everthing not mentioned I left on default settings):

Services --> HAProxy --> Settings --> Settings:
Service:
Enable HAProxy: Checked

Services --> HAProxy --> Settings --> Real Servers:
Real Servers:
Name or Prefix: web01_http | FQDN/IP: 192.168.1.10 | Port: 80
Name or Prefix: web01_https | FQDN/IP: 192.168.1.10 | Port: 443

Services --> HAProxy --> Settings --> Virtual Services:
Backend Pools:
Name: web01_backendpool01 | Mode: TCP (Layer4) | Servers: web01_http, web01_https

Services --> HAProxy --> Settings --> Rules & Checks:
Conditions:
Name: myWebsite01_condition01 | Condition type: Host starts with | Host prefix: <mysubdomain>.<mydomain>.com

Services --> HAProxy --> Settings --> Rules & Checks:
Rules:
Name: myWebsite01_rule01 | Select conditions: myWebsite01_condition01 | Execute function: Use specific Backend Pool | Use backend pool: web01_backendpool01

Services --> HAProxy --> Settings --> Virtual Services:
Public Services:
Name: web01_publicService01 | Listen Addresses: <myPublicIP>:80, <myPublicIP>:443 | Type: TCP | Rules: myWebsite01_rule01


Any help would be very appreciated, thank you in advance!

Hey folks!

As I am serring up automated certificate renewal with the acme plugin I am wondering if it is possible to execute an automated remote command after certificates have been transferred over the plugin's sftp client to the remote machine. Just like it is possible with pfSense's acme plugin integration.

It would be very helpful if I could restart the remote server's services after certificates have successfully been transferred over.

Thank you in advance for any hints!

In my case, this is the only part where OPNsense lacks behind pfSense's ACME plugin implementation.
As my ISP (which is my domain provider) is not offering the possibility to create manually NS Records I am not able to use OPNsense's "ACME DNS API" which would give me the possibility to automate certificate renewals.

Plus, like OP has already mentioned, I do not have the possibility to use manual TXT entries with OPNsense's ACME implementation.

It drives me nuts that I am not able to jump away completely from pfSense to OPNsense. I have to run an additional virtual pfSense instance just because of certificate newewals. PFsense's ACME plugin is just offering more possibilities which do fit my needs.