Let's Encrypt "Automations" Documentation

[hockey6611]

Is there a Let's Encrypt Acme page in the documentation site (docs.opnsense.org)? I have been unable to find it. I am wondering if there is an example of "automations" as indicated under the Edit Certificate page. I assume a command to restart webgui and/or haproxy would go here. Any help would be appreciated!

[fraenki]

Unfortunately no, there is currently no documentation for LE Automations. (I suck at documentation.)

I assume a command to restart webgui and/or haproxy would go here. Any help would be appreciated!

What exactly do you want to achieve? What's your goal?

For example, if you want to automatically restart OPNsense's WebGUI when a certificate is renewed, then this is just a two step task:

1. create an Automation as shown on 1st attached image
2. add the Automation to your certificate as shown on 2nd attached image


Regards
- Frank

[cab878]

Hi Fraenki, first time posting here on the OPNsense forum. I am also looking for guidance on Let's Encrypt Automation feature. I have successfully used the pre-defined options and uploaded my cert to my internal server.

However, I would like to know if it's possible to "fully" automate external host via triggering a script or simple service reload.

Currently, one of my home lab server running a Proxmox VE requires placing and naming the generated certs in a specific location and triggering a systemctl restart pveproxy to apply the new cert.


I would also like to know if it's possible to add my script to the system command lists. I attached a pic for reference.

[fraenki]

Hi Fraenki, first time posting here on the OPNsense forum. I am also looking for guidance on Let's Encrypt Automation feature. I

Welcome! Please post new questions on new threads. Thanks.

However, I would like to know if it's possible to "fully" automate external host via triggering a script or simple service reload.

Currently, one of my home lab server running a Proxmox VE requires placing and naming the generated certs in a specific location and triggering a systemctl restart pveproxy to apply the new cert.

The plugin does not support remote commands. You could workaround this on your target host, for example by running something like this as a cronjob every hour or so:

Code: [Select]

if diff /etc/ssl/old_cert.pem /etc/ssl/new_cert.pem >/dev/null; then
    cp /etc/ssl/new_cert.pem /etc/ssl/old_cert.pem
    systemctl restart myservice
fi

The idea is simple: store a copy of the cert ("old_cert") in order to be able to know when it was changed. If a change is detected, restart the service as required. This could also be adopted for configuration management systems like Puppet or Chef.

Regards
- Frank