Messages

Can I run my own automation script in the acme plugin? It seems to only have a list of commands to choose from.
thanks! Till

I actually got this working by using trust/cert/get

Thank you Cedrik, this was a good hint.
It actually pointed me towards the generate_file action that can (according to the browser session dump) generate crt,prv and pkcs12 files.
However there are two things to notice:
- The documentation says it requires POST while the browser session uses GET
- Neither does work with cURL. CSRF issue? I only get {"status":"failed"} as a response.
Has anyone ever tried this outside of an authenticated browser session?

Thanks for your help and kind regards, Till

Hi,
according to the docs:
https://docs.opnsense.org/development/api/core/trust.html
There is a raw_dump function. I assume it can be used to export a full certificate incl private key?
When I try to use it, it returns 404.
Does it exist?
I have a dedicated "api" user with the privileges: "System: Certificate Manager"
I have successfully tested it and parsed out the UUID by using:

Code Select Expand

CERT_UUID=$(curl -s -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/search" | jq -r '.rows[] | select(.commonname == "<my common name>") | .uuid')Now when I run:

Code Select Expand

curl  -v -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/raw_dump?uuid=$CERT_UUID"it returns 404.
Any hint?
I am running on 25.1.10.

thank you!

I had a couple of situations recently where my firewall got very unresponsive on some services incl the Web UI. Logging into the Web UI then takes up to a minute.
The only thing that helped getting back to normal was a reboot then. How can I diagnose what'S going on?
Some logs on the CLI which I could monitor when it happens?
The system is a an Atom CPU C3558 @ 2.20GHz (4 cores, 4 threads) with 64Gb RAM and ZFS mirrored boot device, latest version installed, all updates.
It does run Zenarmor an I have seen mongod consuming quite some CPU cycles but normally that isn't an issue.
Any hint on how to track this down next time it happens is appreciated.
TIA!

Anyone got a hint for me?
I use the ACME client to manage a number of certificates.
I would like to have an automation that sends me an email when a particular certificate has been renewed.
Any idea how to do that?
I thought about using monit in any way for that but have no clue how.
Thanks for any hint.
-Till

Das geht theoretisch - da muss normalerweise aber der ISP mitspielen, dass er die ONT-ID bei sich einträgt. Normal ist nur die ID des mitgelieferten ONT hinterlegt. Wegen Endgerätefreiheit müssen die ISPs das zwar zulassen, tun es aber sehr ungern.

Das ist auch insofern problematisch, weil Du so kein Backup hast (Highlander-Regel: es kann nur einen geben). Besser klappt es, wenn man die ID des originalen ONTs auslesen kann - das geht bei DG aber, je nach Ausbaugebiet und verbauter Technik, eventuell nicht.

Noch ein Nachteil dabei ist: Support macht DG nur für die eigene Technik.

Das ist m.E. den Stress nicht wert.

Guter Punkt.

Am Rande bemerkt: in der c't war kürzlich ein Artikel wie man ein zyxel pmg3000 für openwrt am Telekom Glasfaser Anschluss verwendet. Das ist ein SFP Slot Modem. Ggf läuft das auch unter OPNsense und an anderen Glasfaser Anschlüssen. Ich fand das ganz sexy das man kein zusätzliches externes Modem braucht.

That doesn't look related to my problem. Did you check you can resolve these addresses?
I can:

Code Select Expand

> set q=AAAA
> mirror.sfo12.us.leaseweb.net
Server: 2003:e6:7744:8501:242:43ff:feae:1c
Address: 2003:e6:7744:8501:242:43ff:feae:1c#53

Non-authoritative answer:
mirror.sfo12.us.leaseweb.net has AAAA address 2605:fe80:2100:b001::5187

So it might be a DNS problem on your end.

When I change from ddclient to native client, do I need to recreate all host records? Because the logs still show "ddclient" as process being used.
Thanks!

I think I have been spoiled by all the smooth upgrades I had in the past. This time it was all but smooth.
The server went unresponsive multiple times (had to hard-reboot), web gui not responding, LAN interface got unresponsive after a few minutes being up. I finally have it running now, but still occasionally can't connect to the web UI.
I have submitted a crash report. What else can I do to help?

I also now have this error message popping up in backend log every hour:

Code Select Expand

[07bbd436-4c8f-446a-9205-24455d9ba5f5] Script action stderr returned "b'Traceback (most recent call last):\n File "/usr/local/opnsense/scripts/OPNsense/Zenarmor/sensei-db-version.py", line 11, in <module>\n from packaging import version\nImportError: cannot import name \'version\' from \'packaging\' (unknown location)'"
Is Zenarmor fully supported with this release?
Thank you for your great work!

I think this has been asked before (can't find the thread anymore) but maybe something has changed:
Is there any plan to support API access to the certificate store? I would love to utilise the acme plugin to manage all my certificates, not only those used on the firewall. But then I need some automated way to retrieve them after renewal.
Is there any workaround? Maybe someone has a shell script that exports the certificate locally and then I can scp it from the machine?
Thanks! Till

Has anyone already done some phpIPAM integration into OPNSense? Both tools have open API's.
I wonder if I could build something like:
- creating a new device with a static IP in phpIPAM will aotmatically create an DHCP entry in OPNSense for the static v4 IP.
Anyone?
Thanks!

Did anyone already look into the newly lounged DNS0.EU initiative? Sounds like a good European alternative to NextDNS or the like. -Till

I run the same constellation (Deutsche Telekom, Vigor , OPNSense) and I have the same issue.
You can't blame OPNsense for the unstable PPPoE connection because it is the Vigor dropping it. And yes, I have tested the Speedport and it is more stable. I had tickets open with Vigor and tested several firmware releases with varying success but never solved it completely.
That after a reconnect the IPv6 is not established is indeed in my opinion an OPNsense issue. And I feel it is a timing issue. because when I manually force a reload of the PPPoE connection then IPv6 works perfectly.
The only thing that would be needed in my opinion, is some task that monitors if IPv6 addresses are assigned after PPPoE is up and if not bounce the connection again and re-establish.
I wonder if that can be done via monit?