security/acme-client: add support for Google Cloud DNS API

[DanMc85]

Reference thread: https://forum.opnsense.org/index.php?topic=7170.0

Is it possible to add support for Google Domains API in ACME client GUI for DNS based validation?
https://support.google.com/domains/answer/3290350?hl=en&ref_topic=3251230

Would be great if it could be supported for the DNS TXT record automation tokens. Especially since it is required for the wildcard certs which are right around the corner.

[fraenki]

Unfortunately, Google Domains API isn't currently supported by Neilpang/acme.sh and a feature request was even abandoned: acmesh-official/acme.sh#180.

We'll have to wait until support is added to acme.sh. I'm closing this issue for the time being. Feel free to reopen this issue once this requirement is met.

[funar]

Support for Google Cloud DNS is pending. Hopefully we'll have this soon. See: acmesh-official/acme.sh#1623

[KyleJ61782]

Google Cloud DNS is now supported by upstream. Perhaps now it could be added?

[fraenki]

Here's the bad news: In order to use acme.sh with Google Cloud DNS, the gcloud command-line tool is required. Unfortunately, it's not officially available on *BSD systems.
The good news: There is a FreeBSD port available. I'll try to add support in one of the next releases. No promises though...

[fraenki]

This will be available in the upcoming release 1.24 of our acme plugin.

Note that several steps are required in order to get this working:

• requires acme.sh 2.8.2, which is not released yet (because this bugfix is required)
• you need to install the new os-google-cloud-sdk plugin in OPNsense (available in OPNsense 19.7, new plugin: google-cloud-sdk, refs #1318 #1392)
• you must create a service account key using the GCP Console
• you must enable the Cloud Resource Manager API
• finally paste the full JSON key in the OPNsense GUI (Services: Let's Encrypt: Validation Methods)

Not exactly user-friendly, but it looks like there's no other way to do it when using Google Cloud DNS.

For reference, a successful run results in the following OPNsense log messages:

Jul  8 01:24:06 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: Google Cloud DNS project name: abc-def-12345
Jul  8 01:24:07 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: The shell command '/usr/local/bin/gcloud config configurations create acme-5cdb1b1782668146681939' returned exit code '0'
Jul  8 01:24:07 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: The shell command '/usr/local/bin/gcloud config configurations activate acme-5cdb1b1782668146681939' returned exit code '0'
Jul  8 01:24:08 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: The shell command '/usr/local/bin/gcloud auth activate-service-account --key-file=/tmp/acme_dns_gcloud_5cdb1b1782668146681939.json' returned exit code '0'
Jul  8 01:24:09 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: The shell command '/usr/local/bin/gcloud config set account acme-test-2@abc-def-12345.iam.gserviceaccount.com' returned exit code '0'
Jul  8 01:24:09 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: The shell command '/usr/local/bin/gcloud config set project abc-def-12345' returned exit code '0'
Jul  8 01:24:16 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: successfully issued/renewed certificate: gcloud.example.com
Jul  8 01:24:16 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: Updated Let's Encrypt X.509 certificate: gcloud.example.com
Jul  8 01:24:16 config[13533]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: storing status 'OK' for cert gcloud.example.com

[dpieski]

Hey, sorry for posting on a closed issue, but Google Cloud DNS and Google Domains DNS are two different things. OP titled for Google Cloud DNS but the question was directed to Google Domains DNS.

For clarification:
Google Cloud DNS support was added.
There is no support for Google Domains DNS.

[fraenki]

@dpieski Unfortunately, Google Domains DNS is not supported by acme.sh, so that wasn't an option. If this ever changes, feel free to open a new issue and we'll add support for it in our LE plugin.

[nathan40]

Is this still unsupported? I have been looking for documentation, but am having a hard time finding documentation that shows how to setup Google Cloud DNS API with the ACME Client on OPNSense.

[fraenki]

AFAICT, it is still supported. Please head over to the forum to ask for support.