Show Posts
1
General Discussion / How can you force the Acme.sh Client Plugin to run via cron?
« on: May 16, 2023, 08:47:22 pm »
I have the Acme Client plugin, I installed it following this tutorial:
https://forum.opnsense.org/index.php?topic=23339.0
It works fine with one caveat. I am not running a "normal" 90 day letsencrypt sort of cert. Instead, I am running a SmallStep CA of my own on a Raspberry Pi. This means my certificates only last 24 hours. (Passive Revocation)
Details Here:
https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
On my other systems, I force acme.sh to run with the --force flag (or I use certbot) this way, I can update the certificate every 10 hours.
For the Acme Plugin for Opnsense, it refuses to renew my certificate based on the cron job because it assumes it does not need to as it ran less than 10 hours prior. For my TrueNAS (BSD based) system, I just changed the acme.sh parameters to include the "--force" flag, and it now runs as expected via cron.
The acme plugin for OPNsense does not appear to do that - or not give me a way to handle that. I can't seem to figure out where to add flags in the GUI. I could go to the shell and edit this - but that feels like a kludge, and I am not sure if the plugin updates it will maintain any changed I would make.
When I try to trigger the cron job to update the certificate I get:
It should be possible to add the --force flag to the acme plugin.
Does anyone know how to do that?
https://forum.opnsense.org/index.php?topic=23339.0
It works fine with one caveat. I am not running a "normal" 90 day letsencrypt sort of cert. Instead, I am running a SmallStep CA of my own on a Raspberry Pi. This means my certificates only last 24 hours. (Passive Revocation)
Details Here:
https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
On my other systems, I force acme.sh to run with the --force flag (or I use certbot) this way, I can update the certificate every 10 hours.
For the Acme Plugin for Opnsense, it refuses to renew my certificate based on the cron job because it assumes it does not need to as it ran less than 10 hours prior. For my TrueNAS (BSD based) system, I just changed the acme.sh parameters to include the "--force" flag, and it now runs as expected via cron.
The acme plugin for OPNsense does not appear to do that - or not give me a way to handle that. I can't seem to figure out where to add flags in the GUI. I could go to the shell and edit this - but that feels like a kludge, and I am not sure if the plugin updates it will maintain any changed I would make.
When I try to trigger the cron job to update the certificate I get:
- 2023-05-16T10:00:00-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
It should be possible to add the --force flag to the acme plugin.
Does anyone know how to do that?