How to Install Certificates from PFsense to other servers?
-
@Gertjan I presented 2 methods. The 1st method is simple and helps to understand the process. 2nd method is better practice but more work. Sorry can't figure out how to add screenshots. I don't use my cert on the webgui (so don't need and didn't show the webgui command). The point of my post was more to share the precious script that gives us a way to use built-in pfsense code to refresh certificates - the secret sauce of the whole thing. There are many different ways to use it.
First method suggests to use the ACME action list on the source server like you have shown but I caution that this method requires root access from source host to the target pfsense hosts to run the script. 2nd method is to use ACME global setting (general settings - write certificates) to copy the certificate to /cf/conf/acme (no other ACME actions needed) or to another machine (with ACME action needed), then install cron pkg on each of the targets and run the actions weekly on the target hosts which only need to be able to read the certificate from the source host or other machine.
-
@victorlclopes
Thanks for your how-to, used it since some month ago...But I have an issue regarding to copy certificates to more then one server in Action list:
As to see I have tried both, an one liner or two separate commands (last temporary disabled for one liner test).
Both is working directly from pfsense CLI without interaction (based idea).
In case of renewal (last night) system log shows with then enabled command, but second server (10.0.0.103) never connected by ssh given by the logs there...
Does anyone have any experience or hints here?
-
If the first part of the third action worked : what about using a forth - the one you've disabled ?
Be aware : we don't know nothing about the shell session used to fire up the actions.
Do what the first and second action imply : instead of just 'scp', use the full path of the command scp. After all, whatever the environnement is, its not the CLI.Of write a shell script, and then fire up a shell that executes the script for you.
With some nice log lines like "command 1 done", "command 2 done" etc -
@Gertjan said in How to Install Certificates from PFsense to other servers?:
If the first part of the third action worked : what about using a forth - the one you've disabled ?
This is what I have tried to describe. Two separate scp commands doesn't worked for the second (here the forth) one.
Be aware : we don't know nothing about the shell session used to fire up the actions.
Do what the first and second action imply : instead of just 'scp', use the full path of the command scp. After all, whatever the environnement is, its not the CLI.Of write a shell script, and then fire up a shell that executes the script for you.
With some nice log lines like "command 1 done", "command 2 done" etcYou are absolutely right, this is what I have to do...
Will be back in two month.... SMILEY! -
Still doesn't worked for the second copy in my script:
upcoming execution is logged:
Aug 4 03:16:45 php 38555 Acme, Running /home/USER/acme_post_scp.sh Aug 4 03:16:45 php 38555 Acme, Running /usr/local/etc/rc.d/haproxy.sh restart Aug 4 03:16:45 php 38555 Acme, Running /etc/rc.restart_webgui
the running itself:
Aug 4 03:16:46 php-cgi 39623 rc.restart_webgui: Creating rrd update script Aug 4 03:16:46 php-cgi 43383 haproxy: started new pid:47385 Aug 4 03:16:46 php-cgi 43383 haproxy: reload old pid:80851
The simple echos in script doesn't find in no way into pfsense system logs, only in shell directly, but the first certificate copy to 10.0.0.100 was successful. Still no ssh connection at 10.0.0.103 sysloged there (as above).
-
@Bronko said in How to Install Certificates from PFsense to other servers?:
The simple echos in script doesn't find in no way into pfsense system logs, only in shell directly
Use
logger
command. Does the second remote host log an ssh attempt? -
@darcey said in How to Install Certificates from PFsense to other servers?:
Use
logger
command. Does the second remote host log an ssh attempt?Thanks for logger. As mentioned above, second host never loged an ssh attempt.
-
@Bronko said in How to Install Certificates from PFsense to other servers?:
As mentioned above, second host never loged an ssh attempt.
You are not actually use the 'GUI' as shown above to create that shells script file, right ?
-
@Gertjan said in How to Install Certificates from PFsense to other servers?:
@Bronko said in How to Install Certificates from PFsense to other servers?:
As mentioned above, second host never loged an ssh attempt.
You are not actually use the 'GUI' as shown above to create that shells script file, right ?
Nope, to be save regarding file handling installed Filer package for that...
-
You 'chmod x' the script file as executable ?
(noop, you won't escape from the console or better, SSH )
-
@Gertjan said in How to Install Certificates from PFsense to other servers?:
Be aware : we don't know nothing about the shell session used to fire up the actions.
given by that, used the GUI for file creation and chmod 755 (check picture)
-
@Bronko said in How to Install Certificates from PFsense to other servers?:
But I have an issue regarding to copy certificates to more then one server in Action list:
I have found the missing step:
If you don't use the standard 'admin' group member of 'admins' like me to login into pfsense, you have to extend
/root/.ssh/known_hosts
by your target hosts from/home/USER/.ssh/known_hosts
given by the fact, Actions list jobs running in root context... My fault.Thanks for all your response.
-
@Bronko Suggest to test if .ssh subfolders are persistent after reboot of each machine. FreeBSD typically purges them at reboot. Might need to run a script at boot time to recover them or run script each time you copy the scripts with following options to recreate / ignore the known hosts automatically: scp -o UserKnownHostsFile=/dev/null -o StrictHostKeychecking=no -i /root/.ssh/id_rsa <user>@<cert store host>:/<script>
-
@mwebb said in How to Install Certificates from PFsense to other servers?:
Suggest to test if .ssh subfolders are persistent after reboot
at pfsense they are persistent