Powershell script for downloading Let's encrypt certificate

[thegundalf]

Hi everybody,

based on the thread https://forum.opnsense.org/index.php?topic=8865 i've written a PowerShell script which downloads and converts the given domain certificate for you.
It has the following dependencies:

• Powershell Module Posh-SSH (https://github.com/darkoperator/Posh-SSH)
• OpenSSL, installed or the binaries and DLLs in the directory of the script

The script needs the following mandatory parameters:

• -CertificateDomain YOURDOMAIN
• -Router IPORHOSTNAMEOFOPNSENSE
• -SCPUsername YOURUSER (Default value is root)
• -SCPPassword YOURPASSWORD
• -Port YOURSSHPORT (Default value is 22)
• -Keyfile PATHTOYOURSSHKEYFILE
• -CertificatePassword CERTPASSWORD (password set for the pfx certificate
• -Out FILENAMEOFCERTIFICATE (Default value is the given domain
• -Path YOURPATH (if not set, outputs the certificate in the current folder

Example usage:

Code Select Expand

Sync-Cert -CertificateDomain tld.contoso.com -Router 192.168.0.1 -SCPUsername root -SCPPassword opnsense -CertificatePassword opnsense
This will connect to the opnSense firewall at 192.168.0.1 with the username root and the password opnsense.
After the connection it will tr the fullchain.cer and the tld.contoso.com.key files from the directory /var/etc/acme-client/home/tld.contoso.com/ directory and convert them using OpenSSL into the PKCS12 format, protecting the certificate with the password opnsense and saving it as tld.contoso.com.pfx in the current directory.

The script is available as gist at https://gist.github.com/Maahaax/0c1a69ffa7e3478c5992f20ae0a194e0

Best regards and thank you so much for this great piece of software named opnSense!

Max

[fabian]

I would not recommend that because the acme-sh documentation explicitly says that the path should be taken from the output and you should not expect it to stay the same after an update. It would be better if you export it from /conf/config.xml where a stable API is possible.

[thegundalf]

Hi Fabian,

thank you for your feedback! I will play around with your method and update the script.
Please correct me if i'm wrong:
I grab the config.xml and parse it, reading the path /opnsense/OPNsense/AcmeClient/certificates
and find the entry by /opnsense/OPNsense/AcmeClient/certificates/certificate/name to get the certRefId.
The certRefId is used in the path /opnsense/cert to get the crt and the prv values and also the caref as CertRefId for the CA certificate.

Afterwards convert and combine the crt-values and tadaa, complete cer-file for further conversions.

Best regards,

Max