Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Acme client 3.0.7 and Synology automation
« previous
next »
Print
Pages: [
1
]
Author
Topic: Acme client 3.0.7 and Synology automation (Read 3964 times)
Chura
Newbie
Posts: 16
Karma: 0
Acme client 3.0.7 and Synology automation
«
on:
December 10, 2023, 11:36:58 am »
Hi
I'm using Synology automation after my LE renewal.
Its not working anymore (The deployment piece)
I see that version 3.0.7 of Acme.sh changed the behaviour, and not the DeviceID (to bypass the 2FA) is created part of the script. While the Opensense adoption of it ask for device ID in the configuration.
What I've found:
* Device ID is not being send part of the request anymore
* New method should ask you for token on first run and update it in config file
* I've tried to add the device id manually to the config at /var/etc/acme-client/home/domain.com.conf however it fails
* I've tried to run acme.sh command manually with user root - I get
[Sun Dec 10 12:24:18 IST 2023] The deploy hook synology_dsm is not found.
* I've tried so su - acme and run this, and I get error that certificate it missing
probably because of permission issue to that user ?
$ ls -al /var/etc/acme-client/home/domain.com.conf
ls: /var/etc/acme-client/home/domain.com.conf: Permission denied
All per documentation here :
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm
Any idea how to solve this ?
«
Last Edit: December 10, 2023, 11:38:31 am by Chura
»
Logged
Chura
Newbie
Posts: 16
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #1 on:
December 11, 2023, 09:40:23 am »
Temp resultion if someone will look for it
add Device name and change the DID to Device_ID
root@opn:~ # cat /var/etc/acme-client/home/domain.com/domain.com.conf | grep SYNO_Device
SAVED_SYNO_Device_ID='did cookie content'
SAVED_SYNO_Device_Name='CertRenewal'
Logged
staticznld
Jr. Member
Posts: 62
Karma: 5
Re: Acme client 3.0.7 and Synology automation
«
Reply #2 on:
December 14, 2023, 10:57:53 am »
Also unable to deploy certificate to a Synology with 2fa enabled.
When running
acme.sh --home /var/etc/acme-client/home --deploy --deploy-hook synology_dsm -d "*.domain.com"
I am unable to authenticate against my Synology nas.
Is there way to run the automation settings in the CLI ?
Digging further is see that the config file isnt changed at all after modifying the device ID in the gui.
I have 2 certificates, the domain.conf of 1 has a device_id and device_name but with a wrong id.
The other domain doesnt have the device_id and device_name set.
«
Last Edit: December 14, 2023, 12:29:07 pm by staticznld
»
Logged
cobbers83
Newbie
Posts: 3
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #3 on:
December 31, 2023, 11:57:09 pm »
Any updates on this? I've tried to manually edit the config and still can't getting it to work. I'm hoping a first-party update is on the way? In the meantime, is there a way to downgrade to the working version or any other methods to get my Synology SSL certs updated in the meantime?
Logged
cobbers83
Newbie
Posts: 3
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #4 on:
January 07, 2024, 03:40:06 am »
Good news! Looks like the fix is out in Acme Client 3.20! 🎉
https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr
Fixed:
* fix 2FA support in Synology automation (#3627)
Logged
Chura
Newbie
Posts: 16
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #5 on:
January 14, 2024, 11:33:11 pm »
I've seen that update but have no clue how to use that.
I've tried putting the initial OTP instead of password and run automation, then change back to the password, it didn't work.
Logged
Chura
Newbie
Posts: 16
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #6 on:
January 20, 2024, 11:24:26 pm »
Found a way, while I'm sure its not the best way to do so
Run this command from CLI
acme.sh --deploy --cert-home /var/etc/acme-client/home/ --home /var/db/acme/.acme.sh/deploy --deploy-hook synology_dsm -d <<FQDN>> --debug 2
It should prompt you for OTP, and that's it
Logged
mhlas7
Newbie
Posts: 1
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #7 on:
February 22, 2024, 10:28:24 pm »
Hi all! n00b question, I hope this is still relatively on topic.
How do I get the "device id" and "device name"?
It is also unclear if "device" refers to the Synology or OPNsense.
If someone can point me to documentation or a tutorial that would be very helpful. I have done a bunch of googling however I don't think I know enough to even type the correct phrase into google. I feel like there should be something in the Acme Automations for Synology help text to help users to find this information.
Thanks!
Logged
cobbers83
Newbie
Posts: 3
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #8 on:
June 05, 2024, 12:09:20 am »
This still isn't working for me. It's maddening. I've tried everything I can think of.
I am on Acme Plugin 4.1. I am running Synology DSM 7.2.1-69057 Update 5.
I have OTP enabled and got the Device ID (did) from the cookie in an Incognito window. I set the Device Name to 'CertRenewal" (I just made that up. Not sure if/where I am supposed to get that value or if I just set it to whatever I want.)
I even tried setting up a user WITHOUT an OTP and it still won't authenticate to Synology.
The cert is properly generated in Acme, but the only thing not working is deploying it to my Synology.
For the record, I use a custom domain and custom port for my synology, if that matters.
Does anyone have any other things I could try? Here is what the logs say.
Screenshot:
https://share.jacobgraf.com/TtTMcBmwLjVT9kqL0Fcl
Logged
Ronny1978
Jr. Member
Posts: 87
Karma: 0
Re: Acme client 3.0.7 and Synology automation
«
Reply #9 on:
June 06, 2024, 04:58:09 am »
I have the same problems. A user is created in the admin group in DSM, WITHOUT 2FA but also WITHOUT any authorisation (SMB/NFS etc.), but the automation causes a crash in OpnSense. Since the crash also occurs when I push a deploy to my Proxmox, it's more likely the plugin itself, right?
Does anyone have any idea how to solve this or whether it works at all and I'm just making a mistake? I also have a separate port in the DSM (not 5001).
Thanks for your tips and help
Translated with DeepL.com (free version)
«
Last Edit: June 06, 2024, 08:16:23 am by Ronny1978
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Acme client 3.0.7 and Synology automation