Feature Request | Let's Encrypt TLS Web Certs

[mitchskis]

Please consider expanding system certificate management to enable one-click generation and signing of TLS web-certs via the Let's Encrypt intuitive for the administration interface. The Certificate Authority is now widely trusted and many stable ACME clients exist. Of course, automated cert. replacement is also important.

[Oebele Drijfhout]

There's already an open issue: https://github.com/opnsense/plugins/issues/6

[mitchskis]

Neat! I was unaware the GitHub issue tracker was in use.

[franco]

It's not on our official roadmap at the moment. The problem with Let's Encrypt is their large ecosystem in the default client. There are more portable solutions nowadays, but the last time we checked we did not find a suitable (and sane) solution.

[silent_mastodon]

franco, can you expand on your answer a little? What exactly do you mean by "large ecosystem" in this context? Do you mean code complexity?

I would really like to see LE support integrated into opnsense, even if it's just a plugin. I do know some python, but I don't understand what the "requirements" or hold-up is for making this happen. What makes a particular solution 'suitable' and 'sane?'

Understanding this I can gauge whether it's a project I can tackle or not.

[franco]

There are two viable candidates that I know of. Here's there runtime dependencies:

/usr/ports/security/letsencrypt.sh # make run-depends-list
/usr/ports/ftp/curl
/usr/ports/shells/bash

/usr/ports/security/py-letsencrypt # make run-depends-list
/usr/ports/devel/py-configargparse
/usr/ports/devel/py-configobj
/usr/ports/devel/py-mock
/usr/ports/devel/py-parsedatetime
/usr/ports/devel/py-pyrfc3339
/usr/ports/devel/py-python2-pythondialog
/usr/ports/devel/py-pytz
/usr/ports/devel/py-setuptools27
/usr/ports/devel/py-six
/usr/ports/devel/py-zope.component
/usr/ports/devel/py-zope.interface
/usr/ports/lang/python27
/usr/ports/security/py-acme
/usr/ports/security/py-cryptography
/usr/ports/security/py-openssl
/usr/ports/sysutils/py-psutil

The former is a portable alternative based on bash/zsh and the latter is the original code with a large trail of Python modules.

Certificates are built into the base system, so we can't chose the plugin road easily, without revamping the certificate code considerably. That would take a month or two as an educated guess. And it might be spurious work for a single plugin.

So instead, we will have to bring the runtime dependencies of a letsencrypt hander to OPNsense base installations. I do not really feel comfortable with bash on the box and letting it handle certificate information.

There may be a middle ground with this, but we cannot tell before work has started on it. What do you think?

PS: Ticket here since Nov 2015 https://github.com/opnsense/plugins/issues/6

[silent_mastodon]

Sorry about the late reply, I never received an email notification that there was a response. : /

I certainly understand not wanting bash involved.

Anyway, if the issue is the actual number of dependencies, there are a couple of smaller python projects that don't seem to have nearly so many.

MIT licensed  - https://github.com/diafygi/acme-tiny
GPLv3 licensed - https://github.com/kuba/simp_le

I don't know how the opnsense project works with regards to non-ports code/packages, so maybe these aren't acceptable because they aren't in your package manager?

[franco]

Both look like viable alternatives, thank you! We have Python underneath so that's good. Slightly favouring the MIT license for BSD style alignment.

If the packages are not on FreeBSD ports and the actual script is light enough it may be best to embed the code directly into the GUI package.

I'll make a note in the package, ask Ad to review the options.


Cheers,
Franco

[franco]

PS: acme-tiny is in FreeBSD ports

[silent_mastodon]

Glad I could be of assistance!

[franco]

Make sure to prod us again, this is also appreciated as it tends to get things done.

[franco]

The acme-tiny package is now in our ecosystem, if anyone wants to play with it...

# pkg install acme-tiny

[silent_mastodon]

Thought I would drop in and give that helpful prod.

[franco]

letskencrypt went in as a package for 16.1.16, that's the progress at the moment. Highly unlikely that we will have this integrated before 16.7 as we're slowly switching from "rework all the things" mode to "polish all the things" mode.

https://kristaps.bsd.lv/letskencrypt/

[silent_mastodon]

Hey, that's great! I'm don't find waiting a bit longer for it at all. Looking forward to having this feature, solves a lot of issues on my end.