Automatically download and apply own certificates

[danman]

Hey

Just installed a fresh opnsense device where I'm going to use my own certificates via acme.sh (dns option). The certificates are created on another VM and also published for only the home network.
I'm currently gathering some ideas on how best to automate this, especially for opnsense.

I use just a script for simple linux boxes and run them via crontab every day:

Code Select Expand

curl -o "/etc/nginx/ssl/cert.key" -z "/etc/nginx/ssl/cert.key" "https://homecerts.local/cert.key" && \
curl -o "/etc/nginx/ssl/cert.cer" -z "/etc/nginx/ssl/cert.cer" "https://homecerts.local/cert.cer" && \
systemctl reload nginx.service

I'm not familiar with opnsense under the hood. I can also use crontab, but how could I import the certificates then?

Thanks!

[Stormscape]

It might be easier to instead configure OPNsense to get the certificates with its acme.sh implementation, and then use the automation features to push it out to other machines on your network. It can all be done via the GUI, no shell usage needed.

[danman]

Thanks! I'll take a look at it. Maybe it's easier to swap it than I think.

[meyergru]

Or got the preferred route and handle both certificate prolongation and TLS termination on OpnSense itself via ACME.sh and a remote proxy like Caddy or HAproxy. There are guides for both of them in the tutorial section. This has the benefit of not needing different ports for different services, because the reverse proxy can differentiate them by name.