Questions about custom scripts with confd and ACME client

[cat /dev/random]

Hi all.

I have a remote server running the Unifi management application. I wish to upload a certificate from Lets Encrypt onto the server every time the ACME client successfully re-issues it.

I have managed to create a basic actions_unifi.confand can then invoke it with configctl after I service configd restart.

The command is even listed in the web UI for possible actions to take... so I think I have all the plumbing in place.

My question

- Where/How can I get the certificate material locations on disk passed into the automation?

In the logs, I see things like

Code Select Expand


acme.sh [Sun Mar 27 11:37:35 PDT 2022] Installing full chain to: /var/etc/acme-client/certs/$SomeUUIDLookingStringHere/fullchain.pem


But when I dump the env/args passed to the command, I see nothing:

Code Select Expand


===== Sun Mar 27 11:37:35 PDT 2022 =====
test script called when configctl unifi upload is called
===== ARGS =====

===== END ARGS =====
===== ENV =====
PWD=/usr/local/opnsense/service
HOME=/
SHLVL=1
REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
_=/usr/bin/env
===== END ENV=====
===== END =====



I need to know where on disk the certificate files are located if I am going to later move them to their desired server.  How can I get the information from the acme client passed along to the command that I have created?


Here's what I'm using for tests:

Code Select Expand


root@OPNsense:/usr/local/opnsense/service/conf/actions.d # cat actions_unifi.conf
[upload]
command:/usr/local/opnsense/scripts/unifi/upload_and_restart.sh >> /usr/local/opnsense/scripts/unifi/test.log
parameters:
type:script_output
message:Installing certificate to
description:Script to upload certificate material to Unifi CloudKey


Code Select Expand


root@OPNsense:/usr/local/opnsense/scripts/unifi # cat upload_and_restart.sh
#!/usr/bin/env bash
#####
echo "===== $(date) ====="
# Test
echo "hi, from the test script"
# dump all cli args
echo "===== ARGS ====="
echo "$@"
echo "===== END ARGS ====="
# dump env
echo "===== ENV ====="
env
echo "===== END ENV====


[cat /dev/random]

It looks like this is not possible at the moment. In the past, this was an "ask" but was never properly or fully implemented.

https://github.com/opnsense/plugins/issues/2627

It is not enough to upload the key material to the remote host... you must further process the key material into a format that the java based application on the remote host can work with. The discussion in #2627 mentions this but there is no workaround or solution.


An updated issue was created to address this... but no progress:

https://github.com/opnsense/plugins/issues/2757


Does anybody have any context / background as to the decision to re-implement acme client hooks?