Messages

1

21.1 Legacy Series / Let's Encrypt Plugin - add CSR option

« on: May 13, 2021, 12:06:02 am »

Hi,

I ma very new to OpnSense (one month), but am really enjoying it.  I use the Let's Encrypt plugin extensively for getting certs for all of my stuff since the interface is excellent and centralized.  I run the bind plugin and it is great since I can generate certs for all my stuff easily.

I have the need to add CSRs to the certificate creation stuff and was wondering if someone could point me to where I can check out the code and add it.  I would of course create patches that could be added if the developers wanted to do so.  I am no web programmer for sure, but I am very unix friendly and see the acme stuff is all shell based anyhow (or python which I am fluent it).

I just cannot find where to check out the current code for the plugin.  If anyone could point me in the right directio, I'll gie it a whirl.

TiA,

Greg

2

21.1 Legacy Series / Re: Let's Encrfypt - BIND Plugin - always failing domain name *solved*

« on: May 01, 2021, 03:00:59 pm »

Well, I guess I'm a dumb ass

I deleted the user who had the API keys created and once I updated the keys, it works a treat.

3

21.1 Legacy Series / Re: Let's Encrfypt - BIND Plugin - always failing domain name

« on: April 30, 2021, 01:50:28 pm »

If I create the TXT record and put bogus info in it, the plugin is not updating it with the challenge from LE, so I am unsure where to go.

I added the TXT record (and the A record already existed) and both are queryable and return results, but it is never being updated to the proper TXT value.

Not sure where to go from here

-Greg

4

21.1 Legacy Series / Let's Encrfypt - BIND Plugin - always failing domain name

« on: April 30, 2021, 01:03:16 pm »

Hi,

I have Let's Encrypt working with the HTTP_01 plugin for my firewall certs, but I am using OpnSense to run BIND as well, so I figured since it has a nice GUI for LE, I would use it for all of my certbot certs as well.  Using the BIND plugin, I always get invalid domain :

Code: [Select]

[Fri Apr 30 05:41:59 CDT 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --insecure  '
[Fri Apr 30 05:41:59 CDT 2021] ret='0'
[Fri Apr 30 05:41:59 CDT 2021] h='expe-mra.mydomain.net'
[Fri Apr 30 05:41:59 CDT 2021] h='mydomain.net'
[Fri Apr 30 05:41:59 CDT 2021] h='net'
[Fri Apr 30 05:41:59 CDT 2021] invalid domain
[Fri Apr 30 05:42:00 CDT 2021] Error add txt for domain:_acme-challenge.expe-mra.mydomain.net

(domain scrubbed)

I've grep'ed through all acme files on the system and cannot find the logs prints for this "invalid domain", so it must be coming from LE..?

Code: [Select]

[root@fw /]# find . -name '*acme*' -exec grep "invalid domain" {} \;

I have also used the URL from the logs with the api key in them and it returns me successful json output with my BIND configuration printed.  BIND is also running just fine - OpnSense is acting as my only set of DNS servers currently.  The logs are printed quickly, so I know there is no timeout occuring between LE and OpnSense getting to the API port.

*edit*
I have run a packet capture and can see LE querying the DNS name and TXT record, but the TXT record is not found, so the plugin is not working for some reason, and on further inspection, the zone in question's serial nu,ber is not incrementing at all when the cert issue attempt is being ran.

OpnSense 21.1.5 - Acme Client 2.4

TiA for any insight.

-Greg Oliver