Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense ACME 0.1.23 Package Google Cloud DNS Question

    Scheduled Pinned Locked Moved ACME
    17 Posts 8 Posters 3.0k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      IIRC, last I saw, it required manually running shell commands to setup the Google Cloud environment authorization with some interactive prompts that can't be automated, so it could not be done completely using a GUI. I may have to check in on it again, though. Kind of tough since I don't have an account setup to use Google Cloud, and no plans to deploy anything there.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      T 1 Reply Last reply Reply Quote 0
      • T Offline
        Tantamount @jimp
        last edited by

        @jimp

        One possible work-around for the GUI issue is having the user run the interactive prompts locally and upload the resultant file to PfSense? I assume this is a do-once step that would survive reboots, etc?

        I can certainly test if that's on the table, otherwise I may be able to create an IAM account that gives you enough permissions to test. I could also take a stab at a PR, assuming you feel the manual upload idea is workable.

        I had signed up for a gsuite account after discovering that they don't enforce their storage limits. I only recently discovered that this gives me access to a whole swaths of other Google services such as their Cloud DNS solution. Amazingly easy to use compared to GoDaddy, cheaper, and as I've discovered they do DNSSEC better (No warnings from the validation tools out there).

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          I don't like the idea of uploading arbitrary files like that, for security reasons. Without knowing the contents/format of what it wants, it's hard to say what might be possible here, though. I don't like the idea of requiring non-GUI steps to configure pfSense-specific things like making the user run shell commands to setup auth either.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          T 1 Reply Last reply Reply Quote 0
          • T Offline
            Tantamount @jimp
            last edited by

            @jimp Got it. Let me play around with this a bit and get back to you. I assume it's just a flat file with some settings. It's possible the shell command mentioned in the ACME docs isn't required -- my understanding of ACME was that it is designed to only use shell commands -- that would necessitate running the google CLI instead of, perhaps, generating the credentials from the Google web GUI.

            U 1 Reply Last reply Reply Quote 0
            • U Offline
              user1234 @Tantamount
              last edited by

              @jimp Logging into gcloud without any user interaction is definitely possible. If you would allow, in the pfSense GUI, for users to configure a service account key for Google Cloud DNS, that key could:

              • be written to disk and it's path saved in the GOOGLE_APPLICATION_CREDENTIALS environment variable. gcloud picks up on this environment variable to pinpoint the location of the credentials file, which it uses to authenticate all outgoing requests. Using this method, no change would be required in the acme-sh Google Cloud DNS script. More details in google cloud's documentation.
              • be saved into an environment variable passed and then passed as an argument to the acme-sh Google Cloud DNS script which would use it to authenticate gcloud: echo $SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --key file -. Obviously, this would entail updating the acme-sh script to perform this action.

              I'm new to this community and would love to contribute to see this integration happen. Of the above two solutions, which one would you find acceptable?

              U 1 Reply Last reply Reply Quote 0
              • U Offline
                user1234 @user1234
                last edited by user1234

                @user1234 said in PfSense ACME 0.1.23 Package Google Cloud DNS Question:

                @jimp Logging into gcloud without any user interaction is definitely possible. If you would allow, in the pfSense GUI, for users to configure a service account key for Google Cloud DNS, that key could:

                • be written to disk and it's path saved in the GOOGLE_APPLICATION_CREDENTIALS environment variable. gcloud picks up on this environment variable to pinpoint the location of the credentials file, which it uses to authenticate all outgoing requests. Using this method, no change would be required in the acme-sh Google Cloud DNS script. More details in google cloud's documentation.
                • be saved into an environment variable passed and then passed as an argument to the acme-sh Google Cloud DNS script which would use it to authenticate gcloud: echo $SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --key file -. Obviously, this would entail updating the acme-sh script to perform this action.

                I'm new to this community and would love to contribute to see this integration happen. Of the above two solutions, which one would you find acceptable?

                I was mistaken, the first method of authentication refers to using Google API SDKs. The second one, however, is valid. It is documented here.

                The acme-sh wiki also mentions that gcloud will use the default configuration which they do not in any way alter. A gcloud configuration is a saved named preset of a SDK properties.

                SDK properties can be set via:

                • gcloud itself, documented here.
                • environment variables, documented here.

                To summarize the above, in order to authenticate and configure gcloud so that the acme-sh script does not require running the interactive gcloud init, you would have to:

                • run echo ¨$GCP_SERVICE_ACCOUNT_KEY_VALUE¨ | gcloud auth activate-service-account --key-file -. Where GCP_SERVICE_ACCOUNT_KEY_VALUE contains the value of Google Cloud Service Account key file (creating service account keys).
                • configure the required gcloud properties to run the commands used in the script. These properties most certainly include the GCP project value. Configuration can be performed either of the above described methods: gcloud config set; environment variables.

                None of these steps are interactive. I work a lot with Google Cloud, their SDKs, services and APIs. While the acme-sh wiki Google Cloud DNS is correct to recommend gcloud init to perform authentication and configuration, this is most certainly, as documented by Google, not the only way to do it. CI / CD environments, similar to the use-case here, have a different flow, as I have explained above.

                So, I will firstly create a PR to fix documentation in the acme-sh repository so that it is less confusing to people looking to set acme up for working with Google Cloud DNS in a non interactive manner.

                Secondly, if there is any way I can help make the above changes to enable the Google Cloud DNS integration in pfSense ACME, I would love to lend a hand.

                R 1 Reply Last reply Reply Quote 1
                • R Offline
                  rbron01 @user1234
                  last edited by

                  @user1234 What this resolved in the end? I am also looking in how to do this.

                  H U 2 Replies Last reply Reply Quote 0
                  • H Offline
                    heitbaum @rbron01
                    last edited by

                    @rbron01 - I saw your post and was having the same issue last night. I created a couple of PRs that hopefully head in the right direction for both Google ACME support and GoogleDomain support.

                    • https://github.com/pfsense/FreeBSD-ports/pull/1246 (tested as working)
                    • https://github.com/pfsense/FreeBSD-ports/pull/1247 (waiting on upstream)
                    R 1 Reply Last reply Reply Quote 0
                    • R Offline
                      rbron01 @heitbaum
                      last edited by

                      @heitbaum
                      Netgate mentioned in a tweet to me that development is working on it.

                      However did not see any movement on it :).

                      1 Reply Last reply Reply Quote 0
                      • U Offline
                        user1234 @rbron01
                        last edited by

                        @rbron01 I opened a PR with acme.sh which collected dust for 2 years… having grown tired of seeing it in my GitHub dashboard, I deleted my fork and closed the PR a few weeks ago. A bit silly, all it took was a button to get it merged.

                        Here’s the PR: https://github.com/acmesh-official/acme.sh/pull/3532.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.