OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Development and Code Review (Moderator: fabian) »
  • Powershell script for downloading Let's encrypt certificate
« previous next »
  • Print
Pages: [1]

Author Topic: Powershell script for downloading Let's encrypt certificate  (Read 3838 times)

thegundalf

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Powershell script for downloading Let's encrypt certificate
« on: October 29, 2018, 01:00:46 pm »
Hi everybody,

based on the thread https://forum.opnsense.org/index.php?topic=8865 i've written a PowerShell script which downloads and converts the given domain certificate for you.
It has the following dependencies:
  • Powershell Module Posh-SSH (https://github.com/darkoperator/Posh-SSH)
  • OpenSSL, installed or the binaries and DLLs in the directory of the script
The script needs the following mandatory parameters:
  • -CertificateDomain YOURDOMAIN
  • -Router IPORHOSTNAMEOFOPNSENSE
  • -SCPUsername YOURUSER (Default value is root)
  • -SCPPassword YOURPASSWORD
  • -Port YOURSSHPORT (Default value is 22)
  • -Keyfile PATHTOYOURSSHKEYFILE
  • -CertificatePassword CERTPASSWORD (password set for the pfx certificate
  • -Out FILENAMEOFCERTIFICATE (Default value is the given domain
  • -Path YOURPATH (if not set, outputs the certificate in the current folder
Example usage:
Code: [Select]
Sync-Cert -CertificateDomain tld.contoso.com -Router 192.168.0.1 -SCPUsername root -SCPPassword opnsense -CertificatePassword opnsenseThis will connect to the opnSense firewall at 192.168.0.1 with the username root and the password opnsense.
After the connection it will tr the fullchain.cer and the tld.contoso.com.key files from the directory /var/etc/acme-client/home/tld.contoso.com/ directory and convert them using OpenSSL into the PKCS12 format, protecting the certificate with the password opnsense and saving it as tld.contoso.com.pfx in the current directory.

The script is available as gist at https://gist.github.com/Maahaax/0c1a69ffa7e3478c5992f20ae0a194e0

Best regards and thank you so much for this great piece of software named opnSense!

Max
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2769
  • Karma: 200
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Powershell script for downloading Let's encrypt certificate
« Reply #1 on: October 29, 2018, 05:36:05 pm »
I would not recommend that because the acme-sh documentation explicitly says that the path should be taken from the output and you should not expect it to stay the same after an update. It would be better if you export it from /conf/config.xml where a stable API is possible.
Logged

thegundalf

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Re: Powershell script for downloading Let's encrypt certificate
« Reply #2 on: October 30, 2018, 07:36:45 am »
Hi Fabian,

thank you for your feedback! I will play around with your method and update the script.
Please correct me if i'm wrong:
I grab the config.xml and parse it, reading the path /opnsense/OPNsense/AcmeClient/certificates
and find the entry by /opnsense/OPNsense/AcmeClient/certificates/certificate/name to get the certRefId.
The certRefId is used in the path /opnsense/cert to get the crt and the prv values and also the caref as CertRefId for the CA certificate.

Afterwards convert and combine the crt-values and tadaa, complete cer-file for further conversions.

Best regards,

Max
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Development and Code Review (Moderator: fabian) »
  • Powershell script for downloading Let's encrypt certificate
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2