Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
ACME sftp automation
« previous
next »
Print
Pages: [
1
]
Author
Topic: ACME sftp automation (Read 6372 times)
peterdeg
Newbie
Posts: 4
Karma: 1
ACME sftp automation
«
on:
December 25, 2022, 05:02:52 am »
Does anyone have simple, step-by-step instructions on getting the sftp automation to work? It's doing my head in.
I just want to upload the new certs to a folder on an Ubuntu box.
Going in circles as to what to put in the 'Host Key' field and what I need to do on the Ubuntu box itself.
User to be used on Ubuntu has been created and I can successfully log in as it via command-line ssh and sftp.
TIA
Logged
peterdeg
Newbie
Posts: 4
Karma: 1
Re: ACME sftp automation
«
Reply #1 on:
December 28, 2022, 02:40:54 am »
Ok, think I've got it working (well, I got the green "Connection and upload test successful" message)
I didn't take full notes as I've been trying all sorts of things over the last week, but I
think
this is how I did it
(Intermediate steps may be missing)
On the ubuntu box, create a user id (non admin), for opnsense to log into using sftp
ssh into the firewall and get the contents of /var/etc/acme-client/sftp-config/id.ecdsa.pub
ssh into the ubuntu box as the id that will be used by opnsense acme for the sftp.
Add the contents of the id.ecdsa.pub file to the .ssh/authorized_keys file.
ssh into the firewall as admin account.
sudo su -
to get the opnsense menu
Option 8 to get the shell
sftp to the ubuntu box as the id that will be used by opnsense acme for the sftp.
Enter 'yes' to accept the fingerprint
On the acme automations gui, create the new automation and select the 'upload certificate via SFTP' Run Command.
SFTP Host - the host name of the ubuntu box
Host Key - leave blank
Username - the id that will be used by opnsense acme for the sftp
Identity Type - leave as ECDSA
Remote Path - leave blank.
Hit 'Save' (possibly overkill)
Re-edit the automation and hit the 'Test Connection' button
Logged
GregTheHun
Newbie
Posts: 10
Karma: 1
Re: ACME sftp automation
«
Reply #2 on:
May 12, 2023, 10:03:13 pm »
If there are any errors, do you know where you can find the logs for the automations?
Logged
stefan21
Full Member
Posts: 103
Karma: 10
Re: ACME sftp automation
«
Reply #3 on:
December 29, 2023, 07:07:57 pm »
Well, I know old topic, old thread.
Anyway, after searching and googling for days I have to push this up hoping someone jumps on.
Here is what works:
From the cli of the opnsense:
#:/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --host=192.168.xx.15 --user=xx test-connection
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-khpkxO' 'sftp-upload-khpkxO'
INFO: SFTP: Uploading /tmp/sftp-upload-khpkxO to /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> rm '/home/xx/sftp-upload-khpkxO'
INFO: SFTP: Removing /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> exit
{
"actions": [
"connecting",
"connected",
"upload-testing",
"upload-tested"
],
"success": true,
"remote": {
"host": "192.168.xx.15",
"port": 22,
"user": "xx",
"path": "/home/xx"
}
}
and:
#:/usr/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --certificates=mail.xx.de --host=192.168.xx.15 --user=xx
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: stat remote: No such file or directory
INFO: Creating remote directory: /home/xx/mail.xx.de
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> mkdir '/home/xx/mail.xx.de'
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-f1fIwZ' 'ca.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-f1fIwZ to /home/xx/mail.xx.de/ca.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-6ytT6R' 'cert.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-6ytT6R to /home/xx/mail.xx.de/cert.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-PZO74I' 'fullchain.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-PZO74I to /home/xx/mail.xx.de/fullchain.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-SgMDcZ' 'key.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-SgMDcZ to /home/xx/mail.xx.de/key.pem
INFO: SFTP: sftp> exit
Further:
On the target server:
ls -la mail.xx.de/
insgesamt 28
drwxr-xr-x 2 xx xx 4096 29. Dez 19:01 .
drwx------ 7 xx xx 4096 29. Dez 19:01 ..
-rw------- 1 xx xx 3750 29. Dez 19:01 ca.pem
-rw------- 1 xx xx 1537 29. Dez 19:01 cert.pem
-rw------- 1 xx xx 5287 29. Dez 19:01 fullchain.pem
-rw------- 1 xx xx 288 29. Dez 19:01 key.pem
All there - the let's encrypt cert was copied.
Question: why on heavens earth does this not work using the gui acme automation? What's wrong here?
I'm stuck. Any help is greatly appreciated.
Logged
stefan21
Full Member
Posts: 103
Karma: 10
Re: ACME sftp automation
«
Reply #4 on:
December 30, 2023, 11:34:19 pm »
Duhhh, stupid me!
I copied a certificate and forgot to change the automation.
Sorry for the whistle, all working as expected.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
ACME sftp automation
