Show Posts
1
22.1 Legacy Series / Procedure to use letsencrypt and pushing to opnsense
« on: May 12, 2022, 08:48:56 pm »
Based on this forum post: https://forum.opnsense.org/index.php?topic=15139.msg69118#msg69118, I have the following procedure which allows me to run letsencrypt on a separate server and push the certificates to opnsense 22.1.6. I haven't found an in-box way for doing this automatically... please let me know if there is an easier way.
Servers in this flow:
server: opnsense <-- runs opnsense
server: backend <-- runs letsencrypt and will push updated certs to opnsense
Steps:
Create 'letsencrypt' user on opnsense
1. backend: create a public/private keypair. The public key is added to a new user on 'opnsense' in next step.
2. opnsense: Add a "letsencrypt" user on opnsense: System > Access > Users
3. opnsense: Add the public key from step #1 (~/.ssh/opnsense-letsencrypt.pub) for user 'letsencrypt'
Add ability for user 'letsencrypt' to run update-cert.sh
4. opnsense: Create a the file /usr/local/etc/sudoers.d/letsencrypt with:
The above will allow the user 'letsencrypt' to run the update-cert.sh script with sudo access.
5. backend: copy the 'update-cert.sh' script attached to this message to a file 'update-cert.sh' on backend.
Review it and make sure you are happy with it. It will edit /conf/config.xml and /var/etc/cert.pem
6. Add update-cert.sh script to user letsencrypt home dir on opnsense and lock it down from modification:
8. Transfer your letsencrypt keys from backend to opnsense:
9. Run the update-cert.sh:
The above rewrites /conf/config.xml to contain the new fullchain and privkey keys, and restarts the opnsense web gui. It finishes by removing fullchain.pem and privkey.pem from the system. If your sudoers isn't configured correctly, the 'sudo' command will fail (prompting for a password.)
On backend, I run a cron job that performs my letsencrypt updates, and then copies the new keys to letsencrypt@opnense and runs the update-cert.sh script.
Servers in this flow:
server: opnsense <-- runs opnsense
server: backend <-- runs letsencrypt and will push updated certs to opnsense
Steps:
Create 'letsencrypt' user on opnsense
1. backend: create a public/private keypair. The public key is added to a new user on 'opnsense' in next step.
Code: [Select]
ssh-keygen -f ~/.ssh/opnsense-letsencrypt
2. opnsense: Add a "letsencrypt" user on opnsense: System > Access > Users
3. opnsense: Add the public key from step #1 (~/.ssh/opnsense-letsencrypt.pub) for user 'letsencrypt'
Add ability for user 'letsencrypt' to run update-cert.sh
4. opnsense: Create a the file /usr/local/etc/sudoers.d/letsencrypt with:
Code: [Select]
letsencrypt ALL = NOPASSWD: /home/letsencrypt/update-cert.sh fullchain.pem privkey.pem
The above will allow the user 'letsencrypt' to run the update-cert.sh script with sudo access.
5. backend: copy the 'update-cert.sh' script attached to this message to a file 'update-cert.sh' on backend.
Review it and make sure you are happy with it. It will edit /conf/config.xml and /var/etc/cert.pem
6. Add update-cert.sh script to user letsencrypt home dir on opnsense and lock it down from modification:
Code: [Select]
scp -i ~/opnsense-letsencrypt update-cert.sh letsencrypt@opnsense:.
ssh root@opnsense chown root:wheel /home/letsencrypt/update-cert.sh
ssh root@opnsense chmod 500 /home/letsencrypt/update-cert.sh8. Transfer your letsencrypt keys from backend to opnsense:
Code: [Select]
scp -i ~/opnsense-letsencrypt /etc/letsencrypt/live/<your domain>/{fullchain,privkey}.pem opnsense:.9. Run the update-cert.sh:
Code: [Select]
ssh -i ~/opnsense-letsencrypt letsencrypt@opnsense sudo ./update-cert.sh fullchain.pem privkey.pemThe above rewrites /conf/config.xml to contain the new fullchain and privkey keys, and restarts the opnsense web gui. It finishes by removing fullchain.pem and privkey.pem from the system. If your sudoers isn't configured correctly, the 'sudo' command will fail (prompting for a password.)
On backend, I run a cron job that performs my letsencrypt updates, and then copies the new keys to letsencrypt@opnense and runs the update-cert.sh script.