How to upload Web GUI certificate via SCP

[DJ_L]

Using a wildcard cert from LE, this is generated on another host for several internal domains. While I can certainly do via GUI, I'd rather add this into the existing process like the rest of my internal hosts. I've searched for a bit, dug through the file system (after uploading manually), but to no avail. Any pointers to docu?

Thanks.

--DJ

[DJ_L]

To answer my own question...the active cert and the key are concatenated at /var/etc/cert.pem. Where the source for this file is stored after adding to the GUI, I do not know. Whether I can simply overwrite this file, I am unsure.

[hbc]

The certificates created or imported via gui are located in configuration file /conf/config.xml under
<opnsense><ca><crt>

[DJ_L]

Thank you hbc! Exactly what I was looking for.

--DJ

[DJ_L]

To complete this for the archives:

Certs themselves are located in /conf/config.xml at <opnsense><ca><cert><refid/><desc/><crt/><prv/>...

Probably obvious, but the text that is inserted into the GUI is base64 encoded in the crt and prv fields (from CLI `cat file | openssl base64`), desc is the plain text description, and the refid value is php's uniqid (from CLI `php -r "echo uniqid();`).

The refid field is earlier used in the Web GUI config at <opnsense><system><webgui><protocol>https</protocol><ssl-certref/>

Okay, so that's easy enough - and probably easier if I spoke PHP. :-)

Only really dumb question remains. :-) How to restart/reload webgui from CLI?

--DJ

[DJ_L]

So, just to bring a completed example, after copying MyCert.crt and MyCert.key via ssh to root's home directory, I clobbed together the following script:

#!/bin/sh

UNIQID=`/usr/local/bin/php -r "echo uniqid();"`
DATE=`date +%Y%m%d`
CRT="/root/MyCert.crt"
PRV="/root/MyCert.key"
FIRSTLN=`grep -m1 -n "<cert>" /conf/config.xml | cut -d ":" -f 1`
DESCR="My Certificate $DATE"

if test -f $CRT; then
  mkdir /root/certtemp
  cd /root/certtemp
  CRTE=`cat $CRT | /usr/bin/openssl base64`
  PRVE=`cat $PRV | /usr/bin/openssl base64`
  DESC="<descr>$DESCR</descr>"
  CERT=`echo "<crt>$CRTE</crt>" | tr -d '\n'`
  PRIV=`echo "<prv>$PRVE</prv>" | tr -d '\n'`
  REFID="<refid>$UNIQID</refid>"
  PATERN="\\n    $REFID\\n    $DESC\\n    $CERT\\n    $PRIV\\n  <\\/cert>\\n"

  echo "    $REFID" > temp.txt
  echo "    $DESC" >> temp.txt
  echo "    $CERT" >> temp.txt
  echo "    $PRIV" >> temp.txt
  echo "  </cert>" >> temp.txt
  echo "  <cert>" >> temp.txt
  cp /conf/config.xml config.xml
  sed "${FIRSTLN}r temp.txt" config.xml > config.xml.tmp
  sed "s@<ssl-certref>.*</ssl-certref>@<ssl-certref>${UNIQID}</ssl-certref>@" \
      config.xml.tmp > config.xml.new
  cp $CRT cert.pem
  cat $PRV >> cert.pem

  cp /conf/config.xml /conf/config.xml.$DATE
  cp config.xml.new /conf/config.xml
  cp /var/etc/cert.pem /var/etc/cert.pem.$DATE
  cp cert.pem /var/etc/cert.pem

  /usr/local/etc/rc.restart_webgui

  # Cleanup
  cd /root
  rm -rf certtemp/
  rm $CRT
  rm $PRV

  echo "New certificate $DESCR installed."
else
  echo "Nothing to do. Exiting."
fi

This seems to work well enough. Bad me! I exceeded my weekly certs by not using the LE test environment. Obviously, this needs to be tested after my punishment (a week), but it worked locally. If anybody sees something bad, please speak up.

Thanks.

--DJ

[hbc]

Only really dumb question remains. :-) How to restart/reload webgui from CLI?

--DJ

Try:

Code: [Select]

/usr/local/sbin/pluginctl webgui restart