Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Certificate management (CLI/API)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Certificate management (CLI/API) (Read 6333 times)
toms
Newbie
Posts: 2
Karma: 0
Certificate management (CLI/API)
«
on:
March 19, 2018, 11:59:21 am »
Hi all,
We're in the process of altering our internal certificate renewal but I'm trying to grasp the best way of doing this (programmatically). Looking through plugins/acme-client (which we also use) I've found the (plugins') certhelper.php that wraps around (cores) system_certmanager.php
As that is still php and not API exposed, what would be the best way to upload new certificates? (programatically - which might be a shell script on the firewall if curl isn't feasible)
Before asking, we'd like to do central management of the certificates instead of manually on multiple OPNsense physical appliances and a couple of virtual instances. So running acme-client on each and every box (and this is beyond only OPNsense as it includes some other services like webservers and SSL offloaders) is not an option.
Would (in some form) calling the acme-client's certhelper.php be an idea, should we (partially) change that functionality to provide our own API (which I'm happy to reshare for obvious OS-reasons) - or is there something already out there that would do this? (Again, using acme-client is not acceptible as we also still have other CA's involved - we are really looking in to renewing certificates programmatically).
Kind regards,
Tom
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Certificate management (CLI/API)
«
Reply #1 on:
March 19, 2018, 06:14:31 pm »
Legacy pages are hard to use with other clients than the Web interface.
As a workaround you can write something like this:
https://github.com/fabianfrz/scripts/blob/master/OPNsense/backup_over_http.rb
Please note that the CSRF token is hard to handle in a shell script.
Logged
toms
Newbie
Posts: 2
Karma: 0
Re: Certificate management (CLI/API)
«
Reply #2 on:
March 20, 2018, 11:14:46 pm »
Hi fabian,
Seems to work to upload certificates (using your example although using python) - but this won't work for switching the certificates as system_advanced_admin.php is too heavily dependent on executed javascript to change the form to the correct values
CSRF was only a small walk in the park, but the actual changing of the certificate won't work unfortunately.
I can scrape enough to change to the correct certificate but this isn't a viable solution in any form of way - mostly due to the form's defaults (without javascript) being too empty. Maybe I should look closer into
https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
and figure out how to re-use the code from line 987 (Update certificate object) to select the uploaded cert & following restart actions.
If someone has some pointers I'd be very happy to dig further into this, otherwise we'll just schedule some human-minion-working-hours ever so often, but I'd really like to avoid that
Kind regards,
Tom
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Certificate management (CLI/API)
«
Reply #3 on:
March 21, 2018, 12:25:09 am »
There is a trust API conversion PR here:
https://github.com/opnsense/core/pull/2053
The problem for the team is that it is largely untested and asking for integration work / review which is hard to pull off with our limited resources.
Cheers,
Franco
Logged
nununo
Newbie
Posts: 7
Karma: 0
Re: Certificate management (CLI/API)
«
Reply #4 on:
April 24, 2022, 06:41:15 pm »
Hello,
Any news on this topic? The mentioned PR got closed.
I'd like to be able to have an Ansible playbook use OPNSense API to fetch existing certificates.
Thanks.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Certificate management (CLI/API)