Messages

1

24.7 Production Series / ACME Plugin will upload certificate to only one NAS

« on: Today at 03:48:39 pm »

One of my certificates is a wildcard for multiple subdomains. When the certificate gets renewed, I have multiple automations setup to distribute the cert to three different servers using the run-command Upload certificate to Synology DSM. What happens in practice is that only one of those servers gets updated. The same server gets updated multiple times if I have multiple target devices.

Digging in some I see that when a cert is issued, files that control the process & automations get generated at /var/etc/acme-client/cert-home. For each cert you'll find a .conf file with key parameters in it like SAVED_SYNO_USERNAME, SAVED_SYNO_PASSWORD, SAVED_SYNO_HOSTNAME. It appears that multiple occurrenses of those has not been considered?

If I watch the log the plugin will say it is updating each server, calling out the automation by name. But the command that it executes is identical for each of those servers. It just keeps hitting the same one each time.

Less critical but worth a note, if I change the creds in the automation the cert-home files do NOT get updated if I launch just the automation from the webui. The automation then supplies the wrong/old credentials (confirmed by putting --debug --output-insecure on the acme.sh command). To use up to date creds I have to actually force a issue/renew on the cert.

Running OPNsense 24.7.9_1-amd64

2

24.7 Production Series / Re: is it possible to traffic shape between devices

« on: October 30, 2024, 02:48:18 pm »

Are you trying to limit speed between devices that are connected to the same switch?

3

24.1 Legacy Series / Re: Acme plugin automation to upload to synology dsm crashes opnsense

« on: February 19, 2024, 07:58:40 pm »

Thank You! I applied the 3790 patch you mention. Works like a charm 

4

24.1 Legacy Series / Re: Acme plugin automation to upload to synology dsm crashes opnsense

« on: February 19, 2024, 05:23:35 pm »

Thanks. I'm using HTTPS and a custom port too. How about you?

5

24.1 Legacy Series / Acme plugin automation to upload to synology dsm crashes opnsense

« on: February 19, 2024, 05:03:21 pm »

In the ACME Client I pick a certificate and use the run-automations tool. If that includes any Synology DSM uploads it will crash. I get the red dot and can submit a crash from the firmware. I don't see a failure in the ACME client log. Extended logging will show me /var paths for certs getting passed into the acme.sh and all those seem to checkout as valid. It fails on three different certificates and different synology hosts that were all working just recently. The user and password are correct and the user is an administrator on the synology.

I had this working like week before last. Don't know if the 2.4.1->2.4.1.1 update affected it or something else?

6

23.7 Legacy Series / Re: How do I get rid of the suffix making my FQDNs resolve incorrectly?

« on: January 05, 2024, 12:12:34 pm »

The trailing dot works thanks! Also weird that most people don't seem to need it. Joining their camp would be ideal but this moves me along some 

7

23.7 Legacy Series / How do I get rid of the suffix making my FQDNs resolve incorrectly?

« on: January 05, 2024, 11:27:25 am »

I have opnsense setup behind a AT&T fiber WAN for my home network where I have a LAN and Unbound DNS with overrides to make some public names resolve to local addresses. IPV6 not enabled. Functionally, names seem to resolve correctly, like if I ping a domain name. But it's hard to debug some things because nslookup always puts the "Connection-specific DNS Suffix" (ipconfig) on the names I give it.

For example if I nslookup google.com I get output like this:

Server:  OPNsense.<MYDOMAIN>.net
Address:  <MY LAN GATEWAY IP>

Non-authoritative answer:
Name:    google.com.<MYDOMAIN>.net
Address:  <MY PUBLIC IP>

The name is always treated like a subdomain of my opnsense domain as set at System->Settings->General->Domain. At Services->DHCPv4->lan->Domain Name I see where I can put in a override. But there seems to be no way to "override" with a blank name since leaving it blank says to use the system default name.

How do I make my Windows nslookup resolve names correctly?