Messages

[set/<cert_uuid>]

Hi ProximusAl

You made my day, thank you very much. I can now update the firewall certificate in place. It still does not solve changing the Web UI certificate via the API, but once the correct certificate is selected in the UI, being able to renew it in place through the API is sufficient for me.

For anyone looking for the cURL way of updating the certificate in-place, here it is:
###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json

{"cert":
    {
        "action":"import",
        "descr":"dummy_description",
        "cert_type":"usr_cert",
        "private_key_location":"firewall",
        "crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
        "prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
        "csr_payload":""
    }   
}


Best regards
Casian

[set/<cert_uuid>]

Hi

I am afraid you can't do that, not yet.
But what you can do, is to manually set your WebUI certificate using the UI, and then update it in-place whenever you want. Use identical body as for "/add" but point it to "/set/<type_here_the_uuid_you_find_with_search_request>"

###
POST https://opnsense.example.com/api/trust/cert/set/<cert_uuid> HTTP/1.1
Authorization: Basic {{key}}:{{secret}}
Content-Type: application/json

{"cert":
    {
        "action":"import",
        "descr":"testdummy3",
        "cert_type":"usr_cert",
        "private_key_location":"firewall",
        "crt_payload":"-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----",
        "prv_payload":"-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----",
        "csr_payload":""
    }   
}

Best regards
Casian

Hi, thanks. I'll remind you about it :)


may I ask, are your scripts using API only, or you're doing it the PHP way?

Thx.

McCasian

Hi

I am looking for that too. Unfortunately I still have no answer.
According to the API reference(here: OPNsense API Reference), there should be the action "set", which my intuition says that it's "setting a certificate to a certain status/value". AI suggested that, in order to update an existing certificate, I should send POST request identical as the "add" one, but simply send it to https://<my_opnsense>/api/trust/cert/set/<uuid_of_the_existing_cert> . I've tried that, and many other combination like uuid field in the body or in the URL in a PHP fashion(?uuid=<uuid_of_the_existing_cert>), but nothing worked.

I am out of clues after exhausting all I could get from google and AI

Hello there,

Although the problem is solved for you, more people will visit this thread looking for a solution on this problem, therefore I want to raise another important aspect which can prevent the sync between the firewalls.

Please be aware that in order for the sync to work properly, the slave machine must have the interface used for pfSync on the list of interfaces where WebGUI is listening: System -> Settings -> Administration -> Listen Interfaces(under Web GUI). Although the master can ping the slave, the FW is not blocking anything, without the port 443 being open on the pfSync interface on slave, it will simply not be able to connect.

before:
Error:/usr/local/etc/rc.filter_synchronize: An error occurred while attempting XMLRPC sync with username root and https://10.9.8.3/xmlrpc.php fetch error. remote host down?
nc -vz 10.9.8.3 443
nc: connect to 10.9.8.3 port 443 (tcp) failed: Connection refused

after:
nc -vz 10.9.8.3 443
Connection to 10.9.8.3 443 port [tcp/https] succeeded!
Notice:/usr/local/etc/rc.filter_synchronize: Filter sync successfully completed with https://10.9.8.3/xmlrpc.php.

That solved the problem for me.