Let's encrypt...

[fichtner]

using either:

security/py-letsencrypt -- APACHE20
security/letsencrypt.sh (bash) -- MIT
security/py-acme-tiny -- MIT

https://github.com/kuba/simp_le -- GPLv3 licensed

via: https://forum.opnsense.org/index.php?topic=2319.0

[fichtner]

We now have acme-tiny in our eco-system if anyone wants to try...

# pkg install acme-tiny

[fraenki]

@fichtner: Would you mind to add the security/letskencrypt port to OPNsense? It looks like a perfect fit with it's main focus being security. I'd like to try it out and see if I can start building a plugin.

[fichtner]

Was already done, package will be in 16.1.16

On 02.06.2016, at 13:48, Frank Wall notifications@github.com wrote:

@fichtner: Would you mind to add the security/letskencrypt port to OPNsense? It looks like a perfect fit with it's main focus being security.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[fraenki]

Looks like security/letskencrypt(or security/acme-client) can only be used on the LibreSSL flavour of OPNsense. I don't want a different client for every SSL flavour, so I'm going to checkout security/py-acme-tiny instead.

[fichtner]

acme-client gained a "static" option now to be usable with OpenSSL, but our build system is not clever enough for this just yet. Just FYI.

[fichtner]

@fraenki from the looks of it, acme-client can now be shipped in both LibreSSL and OpenSSL flavours.

[fraenki]

@fichtner Yes, just recently installed it on my FreeBSD test VM. I hope to provide a rough concept for how I want to implement LE in OPNsense. Some workarounds are required, but I hope to integrate it with HAProxy, Load balancer (relayd) and the bundled lighttpd. Alpha-quality code should follow soonish. I'm several weeks behind my schedule, but I hope to provide a first alpha version in january.

[EugenMayer]

you might really want to look at https://github.com/Neilpang/acme.sh .. i am using it right now on the opnsense instances, it works pretty good.

The current point would be, to reimport the certis when they are issued into opnsense, so more or less a sync between the cert/key folder of acme.sh folder and opnsense configuration.

Using the external script we get:

• more or less all modes supported ( dns, .well-known )
• DNS server integration ( like cloud front ) - its build in

So a lot less code to maintain or rather develop

[AdSchellevis]

@EugenMayer can you post some small examples of how this should work? This sounds practical, the first time I looked at integrating let's encrypt there was just too much glue needed to make it functional, if this is easier I might be willing to do the work for this feature.

[EugenMayer]

sure

right now on a fresh 17.1 installation, i do

cd /root
git clone https://github.com/Neilpang/acme.sh
cd acme.sh
./acme.sh install

the latter command just deploys the cron job for acme automatically get new certificates

to get a new certificate using ACME with in my case cloudfront

setenv CF_Key <apikey>
setenv CF_Key <mycfmail>

./acme.sh --issue --dns dns_cf --dnssleep 25 -d <mydomain>

You can use other modes then --dns or a dns with a API integration ( you can go the manual way ) and all kinds, so very flexible. But when thinking about opnsense, most probably the webserver will not be accessible by the letsencrypt servers, so ACME using DNS sounds like the perfect match

[fraenki]

No examples required, the plugin is almost complete.

[EugenMayer]

@fraenki will it have and cloud-dns integration for ACME dns verifcation?

[fraenki]

@EugenMayer If you mean Cloudflare, then yes.

[fichtner]

Some minor things to do:

Jan 27 08:55:33	configd.py: [527c12a2-f1dd-46d9-95bd-34e9b440111b] Inline action failed with OPNsense/AcmeClient OPNsense/AcmeClient/lighttpd-acme-challenge.conf 'collections.OrderedDict object' has no attribute 'AcmeClient' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 309, in generate raise render_exception Exception: OPNsense/AcmeClient OPNsense/AcmeClient/lighttpd-acme-challenge.conf 'collections.OrderedDict object' has no attribute 'AcmeClient'
Jan 27 08:55:33	configd.py: generate template container OPNsense/AcmeClient
Jan 27 08:55:32	configd.py: [527c12a2-f1dd-46d9-95bd-34e9b440111b] generate template OPNsense/AcmeClient
Jan 27 08:54:28	configd.py: [af999a5b-5613-40c4-8fe8-7e0a39aac536] Script action stderr returned "/usr/local/etc/rc.d/acme_http_challenge: Permission denied"
Jan 27 08:54:28	configd.py: [af999a5b-5613-40c4-8fe8-7e0a39aac536] requesting acme_http_challenge status

acme_http_challenge should probably be a plugin file, not a template. the permission fixup though setup.sh is weird and causes the above error. I'll try to apply a bandaid.

[fichtner]

@fraenki ok, that should be all. can you double-check to approve this?

[syserr0r]

I am not seeing this plugin available in the WebUI for 16.7.14 -- is that intentional or is there something I need to do to update the plugins list?

[fichtner]

@syserr0r It was added to the tree just today ;) since 16.7.14 is EOL, the plugin will only be shipped with 17.1 and up

[syserr0r]

Ah the plugin list is set at build time and not pulled from here -- I hadn't realized.

Edit: Actually, it looks like it is pulled from here but there is another branch for 16.x and 17.x