Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Feature Request | Let's Encrypt TLS Web Certs
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Feature Request | Let's Encrypt TLS Web Certs (Read 18369 times)
mitchskis
Newbie
Posts: 22
Karma: 1
Feature Request | Let's Encrypt TLS Web Certs
«
on:
March 02, 2016, 06:18:23 pm »
Please consider expanding system certificate management to enable one-click generation and signing of TLS web-certs via the
Let's Encrypt
intuitive for the administration interface. The Certificate Authority is now widely trusted and many stable ACME clients exist. Of course, automated cert. replacement is also important.
Logged
Oebele Drijfhout
Newbie
Posts: 7
Karma: 1
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #1 on:
March 02, 2016, 07:17:11 pm »
There's already an open issue:
https://github.com/opnsense/plugins/issues/6
Logged
mitchskis
Newbie
Posts: 22
Karma: 1
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #2 on:
March 02, 2016, 07:27:58 pm »
Neat! I was unaware the GitHub issue tracker was in use.
«
Last Edit: March 02, 2016, 07:43:30 pm by mitchskis
»
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #3 on:
March 03, 2016, 08:05:08 am »
It's not on our official roadmap at the moment. The problem with Let's Encrypt is their large ecosystem in the default client. There are more portable solutions nowadays, but the last time we checked we did not find a suitable (and sane) solution.
Logged
silent_mastodon
Newbie
Posts: 35
Karma: 2
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #4 on:
April 23, 2016, 08:51:42 am »
franco, can you expand on your answer a little? What exactly do you mean by "large ecosystem" in this context? Do you mean code complexity?
I would really like to see LE support integrated into opnsense, even if it's just a plugin. I do know some python, but I don't understand what the "requirements" or hold-up is for making this happen. What makes a particular solution 'suitable' and 'sane?'
Understanding this I can gauge whether it's a project I can tackle or not.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #5 on:
April 27, 2016, 05:14:45 pm »
There are two viable candidates that I know of. Here's there runtime dependencies:
/usr/ports/security/letsencrypt.sh # make run-depends-list
/usr/ports/ftp/curl
/usr/ports/shells/bash
/usr/ports/security/py-letsencrypt # make run-depends-list
/usr/ports/devel/py-configargparse
/usr/ports/devel/py-configobj
/usr/ports/devel/py-mock
/usr/ports/devel/py-parsedatetime
/usr/ports/devel/py-pyrfc3339
/usr/ports/devel/py-python2-pythondialog
/usr/ports/devel/py-pytz
/usr/ports/devel/py-setuptools27
/usr/ports/devel/py-six
/usr/ports/devel/py-zope.component
/usr/ports/devel/py-zope.interface
/usr/ports/lang/python27
/usr/ports/security/py-acme
/usr/ports/security/py-cryptography
/usr/ports/security/py-openssl
/usr/ports/sysutils/py-psutil
The former is a portable alternative based on bash/zsh and the latter is the original code with a large trail of Python modules.
Certificates are built into the base system, so we can't chose the plugin road easily, without revamping the certificate code considerably. That would take a month or two as an educated guess. And it might be spurious work for a single plugin.
So instead, we will have to bring the runtime dependencies of a letsencrypt hander to OPNsense base installations. I do not really feel comfortable with bash on the box and letting it handle certificate information.
There may be a middle ground with this, but we cannot tell before work has started on it. What do you think?
PS: Ticket here since Nov 2015
https://github.com/opnsense/plugins/issues/6
Logged
silent_mastodon
Newbie
Posts: 35
Karma: 2
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #6 on:
May 09, 2016, 12:52:58 pm »
Sorry about the late reply, I never received an email notification that there was a response. : /
I certainly understand not wanting bash involved.
Anyway, if the issue is the actual number of dependencies, there are a couple of smaller python projects that don't seem to have nearly so many.
MIT licensed -
https://github.com/diafygi/acme-tiny
GPLv3 licensed -
https://github.com/kuba/simp_le
I don't know how the opnsense project works with regards to non-ports code/packages, so maybe these aren't acceptable because they aren't in your package manager?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #7 on:
May 09, 2016, 05:34:14 pm »
Both look like viable alternatives, thank you! We have Python underneath so that's good. Slightly favouring the MIT license for BSD style alignment.
If the packages are not on FreeBSD ports and the actual script is light enough it may be best to embed the code directly into the GUI package.
I'll make a note in the package, ask Ad to review the options.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #8 on:
May 09, 2016, 05:42:22 pm »
PS: acme-tiny is in FreeBSD ports
Logged
silent_mastodon
Newbie
Posts: 35
Karma: 2
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #9 on:
May 10, 2016, 01:43:24 am »
Glad I could be of assistance!
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #10 on:
May 10, 2016, 08:04:44 am »
Make sure to prod us again, this is also appreciated as it tends to get things done.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #11 on:
May 19, 2016, 09:01:47 am »
The acme-tiny package is now in our ecosystem, if anyone wants to play with it...
# pkg install acme-tiny
Logged
silent_mastodon
Newbie
Posts: 35
Karma: 2
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #12 on:
June 04, 2016, 06:17:51 am »
Thought I would drop in and give that helpful prod.
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #13 on:
June 04, 2016, 03:38:27 pm »
letskencrypt went in as a package for 16.1.16, that's the progress at the moment. Highly unlikely that we will have this integrated before 16.7 as we're slowly switching from "rework all the things" mode to "polish all the things" mode.
https://kristaps.bsd.lv/letskencrypt/
Logged
silent_mastodon
Newbie
Posts: 35
Karma: 2
Re: Feature Request | Let's Encrypt TLS Web Certs
«
Reply #14 on:
June 05, 2016, 06:39:04 am »
Hey, that's great! I'm don't find waiting a bit longer for it at all. Looking forward to having this feature, solves a lot of issues on my end.
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Feature Request | Let's Encrypt TLS Web Certs