Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - cat /dev/random

Pages1
#1
22.1 Legacy Series / Re: Questions about custom scripts with confd and ACME client
March 27, 2022, 08:55:53 PM
It looks like this is not possible at the moment. In the past, this was an "ask" but was never properly or fully implemented.

https://github.com/opnsense/plugins/issues/2627

It is not enough to upload the key material to the remote host... you must further process the key material into a format that the java based application on the remote host can work with. The discussion in #2627 mentions this but there is no workaround or solution.


An updated issue was created to address this... but no progress:

https://github.com/opnsense/plugins/issues/2757


Does anybody have any context / background as to the decision to re-implement acme client hooks?
#2
22.1 Legacy Series / Questions about custom scripts with confd and ACME client
March 27, 2022, 08:43:55 PM
Hi all.

I have a remote server running the Unifi management application. I wish to upload a certificate from Lets Encrypt onto the server every time the ACME client successfully re-issues it.

I have managed to create a basic actions_unifi.confand can then invoke it with configctl after I service configd restart.

The command is even listed in the web UI for possible actions to take... so I think I have all the plumbing in place.

My question

- Where/How can I get the certificate material locations on disk passed into the automation?

In the logs, I see things like


Code Select

acme.sh [Sun Mar 27 11:37:35 PDT 2022] Installing full chain to: /var/etc/acme-client/certs/$SomeUUIDLookingStringHere/fullchain.pem


But when I dump the env/args passed to the command, I see nothing:

Code Select

===== Sun Mar 27 11:37:35 PDT 2022 =====
test script called when configctl unifi upload is called
===== ARGS =====

===== END ARGS =====
===== ENV =====
PWD=/usr/local/opnsense/service
HOME=/
SHLVL=1
REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
_=/usr/bin/env
===== END ENV=====
===== END =====



I need to know where on disk the certificate files are located if I am going to later move them to their desired server.  How can I get the information from the acme client passed along to the command that I have created?


Here's what I'm using for tests:


Code Select

root@OPNsense:/usr/local/opnsense/service/conf/actions.d # cat actions_unifi.conf
[upload]
command:/usr/local/opnsense/scripts/unifi/upload_and_restart.sh >> /usr/local/opnsense/scripts/unifi/test.log
parameters:
type:script_output
message:Installing certificate to
description:Script to upload certificate material to Unifi CloudKey


Code Select

root@OPNsense:/usr/local/opnsense/scripts/unifi # cat upload_and_restart.sh
#!/usr/bin/env bash
#####
echo "===== $(date) ====="
# Test
echo "hi, from the test script"
# dump all cli args
echo "===== ARGS ====="
echo "$@"
echo "===== END ARGS ====="
# dump env
echo "===== ENV ====="
env
echo "===== END ENV====
Pages1