security/acme-client: automation > upload of renewed cert to synology failed

[rantwolf]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• The title contains the plugin to which this issue belongs

Describe the bug
An acme cert which was requested a couple of days ago was renewed in opnsense.
After the renew the automation "upload to synology" failes.
TOTP in the Synology is disabled.

Relevant log files

2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] Error deploy for domain:local.domain
2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET.
2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] Check your username and password.
2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] Unable to authenticate to syno.local.domain:5001 using https.
2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] Logging into syno.local.domain:5001
2022-03-10T11:24:00 | acme.sh | [Thu Mar 10 11:24:00 CET 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60

Additional context
It seems that only certificate was uploaded at first sync.
I think the intermediate cert is missing inside.
If I try to connect via cli from opnsense to the syno I get this error.

curl -v https://syno.local.domain:5001
*   Trying 192.168.20.60:5001...
* Connected to syno.local.domain (192.168.20.60) port 5001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /usr/local/etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Environment
OPNsense 22.1.2_1 (amd64, OpenSSL).

[fraenki]

Unable to authenticate to syno.local.domain:5001 using https

Have you tried setting Scheme to http (not https) in automations?

[rantwolf]

Hei hei.
Yeah that worked for me.
Thx.

[Doriangaensslen]

Bear in mind: Using http instead of https is the wrong way, it would be better to make sure, that the certificate can be verified by the router. Because it's simply not secure with http.