security/acme-client: add acme client

[fraenki]

Introduction

Sponsored by: markt.de

This is the first version of our acme plugin. It utilizes acme.sh and supports 14 DNS providers. Besides that, there's our integrated HTTP-01 validation which should makes it very easy to validate certificates (provided that the official IP address of the certificate hostname points to the OPNsense box).

This is the initial relase and is expected to contain bugs. Support for many DNS-01 providers is largely untested. Please don't use it in production just yet. :)

Remarks

Initially I wanted to integrate acme-client, but this would have meant additional efforts to integrate DNS-01 providers. That's why I decided to switch to acme.sh.

Support for HTTP-01 validation is currently limited to the internal OPNsense provider. I plan to add support for more providers in the coming weeks.

This version lacks support for deploy/restart actions. Thus it can't automatically restart a service if a certificate was renewed. This will be addressed in a future release very soon.

Quick start guide

1. Enable Let's Encrypt Plugin

2. Add an account

3. Add a validation method

3a. Example: HTTP-01 OPNsense port-forward magic

3b. Example: DNS-01 nslookup

4. Configure certificate

5. Issue certificate

5a. Issue/Renew ALL certificates

5b. Issue/Renew a specific certificate

[fichtner]

Merged, many many thanks for your work! <3

[AdSchellevis]

@fraenki nice work! Thanks!

[EugenMayer]

thank you @fraenki , awesome!

[fraenki]

@AdSchellevis I could need your help to add some JavaScript to hide GUI fields if they are not relevant, especially the "Validation" form is crowded with input fields and only some of them are useful at a time :)

[AdSchellevis]

@fraenki no problem, I saw there are quite some dns related fields, we might consider changing them to property value combinations as well. Next week I'll try to install it on my box and see what I can do about the JS part.

[lrosenman]

when I put a new name in for a certificate, it doesn't like a FQDN, therefore sending a bad CN=.

What info do you need?

I'm using DNS-01/nsupdate. (what's supposed to go in the secret key field?

[fraenki]

@lrosenman Please open a new issue and provide some details on how to reproduce this problem.

[lrosenman]

done, #70

[zen2]

Is it possible to use this plugin to get a letencrypt certificate that is used for the firewall gui HTTPS access ?

[fraenki]

@zen2 Please use the OPNsense forum or IRC channel to get your questions answered. :)

[Julien-nl]

Hi Fraenki,
i've got this error

[Tue Jul 17 14:13:55 CEST 2018] | Please check log file for more details: /var/log/acme.sh.log
-- | --
[Tue Jul 17 14:13:55 CEST 2018] | _on_issue_err
[Tue Jul 17 14:13:55 CEST 2018] | skip dns.
[Tue Jul 17 14:13:55 CEST 2018] | _clearupdns
[Tue Jul 17 14:13:55 CEST 2018] | No need to restore nginx, skip.
[Tue Jul 17 14:13:55 CEST 2018] | pid
[Tue Jul 17 14:13:55 CEST 2018] | Create domain key error.

[Nornode]

Turns out I had the same issue!
The trick is to have a proper domain (CN) in the CN field do not name it something random.
If you need to leave the "Alt names" field empty.

Hi Fraenki,
i've got this error

[Tue Jul 17 14:13:55 CEST 2018] | Please check log file for more details: /var/log/acme.sh.log
-- | --
[Tue Jul 17 14:13:55 CEST 2018] | _on_issue_err
[Tue Jul 17 14:13:55 CEST 2018] | skip dns.
[Tue Jul 17 14:13:55 CEST 2018] | _clearupdns
[Tue Jul 17 14:13:55 CEST 2018] | No need to restore nginx, skip.
[Tue Jul 17 14:13:55 CEST 2018] | pid
[Tue Jul 17 14:13:55 CEST 2018] | Create domain key error.

[fraenki]

@Nornode, please don't hijack pull requests. Instead please post on the forums or open a new issue.