Messages

Figured it would be nice to have a step-ca plugin so I went down the rabbithole and made it: https://github.com/insipx/os-step-ca
intentionally kept simple (anything more complicated or requiring anything other than `https-01` challenges should use the acme.sh plugin). hoping to upstream to opnsense/plugins eventually whenever I have some free minutes. This plugin is configurable with step-ca short-lived certificates and will renew with the `--expires-in` flag. so, setting `--expires-in` to `4h` will renew a cert when it expires in 4h, no matter whether the cert lives for 6, 12, 16 or 24 hours. It is only meant for a single cert/web gui cert, however.

the installation is a bit tedious currently b/c there's no repo hosting it

Hello! Just wanted to chime in here because I also ran into this exact issue. I run a local step-ca certificate authority which issues certificates with a lifetime of 24 hours, but opnsense will not allow me to renew in that time period

I also found this related GitHub issue concerning short-lived certificates: https://github.com/opnsense/plugins/issues/4572#issuecomment-2736540768

It's closed, but it doesn't seem like the issue was resolved. It feels like an option to the acme plugin/checkbox on a certificate that allows setting a "force renew" would solve this, but i'm not aware of other issues that might cause?

increasing the lifetime is certainly a solution. Maybe I'm just being stubborn with following the "best practice" outlined by step ca, but it feels worth it to me

my acme log for reference, after trying to manually renew my certificates (in the latest version of the acme plugin, the manual buttons on the right also don't seem to work, but that's a separate issue). At the very least, it feels like manual renew should have a "force" option: