Import certificates by command line?

Started by Tattoofreak, January 27, 2022, 03:53:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 27, 2022, 03:53:52 PM
As I have an external certificate server I would like to avoid to use the ACME plugin. To automate the import of renewed certificates, I have found this topic:
https://forum.opnsense.org/index.php?topic=15139.0
Seems like it could be a hassle (if not now, maybe in the future) using that provided script.
There must be a way to import a renewed certificate via command line, right? If it's possible via GUI it's possible via command line too. My question is: How? Any OPNsense expert knows how to do this?

Thank you!
January 27, 2022, 07:08:43 PM #1
I've crafted a script for cert distribution which covers OPNsense: https://github.com/bartsmit/distcerts

Bart...
January 28, 2022, 10:31:56 AM #2 Last Edit: January 28, 2022, 10:40:19 AM by Tattoofreak
That's great, thanks!
Unfortunately it does not work yet.
The php script puts the following message:

The certificate subject does not match the hostname <opnsense.mydomain.com>
CN=mydomain.com

My certificate is indeed a wildcard certificate so this should work, should it?
January 28, 2022, 10:56:58 AM #3
Quote from: Tattoofreak on January 28, 2022, 10:31:56 AM
That's great, thanks!
Unfortunately it does not work yet.
The php script puts the following message:

The certificate subject does not match the hostname <opnsense.mydomain.com>
CN=mydomain.com

My certificate is indeed a wildcard certificate so this should work, should it?
Yes, absolutely.

Is the  opnsense-import-certificate.php in the same directory on the firewall where you are running the script from?
Are you root on the firewall?
Did you chmod 755 both scripts?
January 28, 2022, 11:19:30 AM #4
Yes, everything is within the /root directory in opnsense (I have also tried to run the PHP script directly on the opnsense command line with root user, btw.)

As I have already set up an acme.sh script on my own certificate server I am only using the script from here:
https://github.com/pluspol-interactive/opnsense-import-certificate

Just for clearance: My script to get the certificate looks like this:
Code Select
#!/bin/sh
/root/.acme.sh/acme.sh --accountemail "foo@bar.com" --issue --dns dns_gandi_livedns -d '*.myDomain.com' -d myDomain.com

The certificate works great with all my public webservices.

Do you see any issues the way I am doing it?
January 28, 2022, 12:21:13 PM #5
Maybe the problem is that I have two domains within a single certificate? Could this confuse the php script?

e.g.

*.myDomain.com
myDomain.com
January 28, 2022, 01:58:28 PM #6
Quote from: Tattoofreak on January 28, 2022, 12:21:13 PM
Maybe the problem is that I have two domains within a single certificate? Could this confuse the php script?

e.g.

*.myDomain.com
myDomain.com

No, definitely not - all Letsencrypt wildcards have both.

Do you have the fullchain.pem and privkey.pem files in the directory as well?
January 28, 2022, 03:12:36 PM #7 Last Edit: January 28, 2022, 03:40:55 PM by Tattoofreak
I have the cert.pem and the privkey.pem inside the /root directory.
I have also tried to use the fullchain.pem instead of cert.pem but that also has the same result.

Edit: I don't have to import the certificate manually first via the GUI once, do I? Because currently there's only the default self-signed certificate installed. I guess the script it not to only update but also to import certificates from scratch, right?

Edit 2:Just FYI, my config in
System --> Settings --> General
is the following:

Hostname: opnsense
Domain: <mydomain.com>

Should be correct?
January 28, 2022, 04:19:21 PM #8
The script should import the cert regardless of any being manually set up. I see them in my trust section with a description like "Certificate added to opnsense through opnsense-import-certificate.php on <date>"

The Authorities section only has my OpenVPN CA cert in it.

My system, settings, general shows the same pattern; single word hostname and the domain from my LE wildcard.
January 28, 2022, 06:39:10 PM #9
That's very odd. I really cannot imagine what the problem is. I can only guess that maybe the "-" symbol in my domain name (my-domain.com) could be an issue.
Are you on the latest opnsense release 22.1 too?
January 28, 2022, 08:15:18 PM #10
No, I always wait a few days - upgrade scheduled for the weekend
January 28, 2022, 08:38:54 PM #11 Last Edit: January 29, 2022, 05:40:18 AM by Tattoofreak
Well maybe you are willing to test and report back after you have upgraded, that would be helpful.
Thank you so far for your help, very appreciated mate!
January 29, 2022, 09:46:48 AM #12
Upgrade was flawless with the LE cert coming across without issues.

You could import your cert manually for now and revisit once I've been through a refresh cycle.
January 29, 2022, 03:57:51 PM #13
Alright. I have imported the wildcard certificate manually via the GUI which worked flawless. The wildcard certificate also takes place without any hickup when connecting to opnsense via its hostname opnsense.mydomain.com.
It's just the PHP script not working somehow. Even now after importing the certificate manually the PHP script does still give me the same issue.
Print
Go Up Pages1
User actions