PfSense ACME 0.1.23 Package Google Cloud DNS Question



  • I scrolled through the GUI list but didn't see Google Cloud in there. I don't think nsupdate will work but I do know that Google has a system for updating remotely. Is there support for Google's Cloud DNS or will there be any added in the future?



  • You have to set it to DNS-Manual for the time being. It'll give you the details you need to use to make a TXT DNS Record for verification.



  • @homer2320776:

    You have to set it to DNS-Manual for the time being. It'll give you the details you need to use to make a TXT DNS Record for verification.

    I'm not going to manually do anything for an intended automation system. Work smarter not harder. I will continue using CloudFlare if I must, but I'm attempting to integrate my hosting under the Google umbrella for easier management. Domain registrar, DNS, GApps for Business, etc.

    The question I asked is whether or not support is possible or intended and if so when.


  • Rebel Alliance Developer Netgate

    We support the providers supported by the acme.sh project. I don't see anything in their repository or issues about Google Cloud, so it's possible they are not planning support for it or there is no viable API to use it.



  • Ugh, there was an issue for it but it's now closed. 15 days ago. I remember it from last year and assumed it would have been added by now. Guess CloudFlare will have to be it.



  • I'm also considering Google Cloud DNS as a possible service to switch to, and based on the claim below that adding a dns api script should be "easy" and the extensive Google Cloud DNS API, I won't rule out Google Cloud DNS yet. Something I plan on looking into over the next few weeks. I don't know yet whether the Google Cloud DNS api relies on installing certain Google scripts/libraries which may or may not be feasible to run on pfSense machines.

    https://github.com/Neilpang/acme.sh

    "If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a Pull Request and contribute it to the project."



  • @jimp Bringing this thread back from the dead...

    It looks like they have support for Google Cloud DNS now (#49 in their list):
    https://github.com/Neilpang/acme.sh/wiki/dnsapi#49-use-google-cloud-dns-api-to-automatically-issue-cert

    I didn't see it as a choice when I installed the 0.6.2 package today. Is there something about this provider that doesn't work with pfsense or freebsd? The last commit to the code was back in May (apparently updated to better support *BSD): https://github.com/Neilpang/acme.sh/commit/145b1f4fb3cbeafa167d86f8f6004df194e5cd55


  • Rebel Alliance Developer Netgate

    IIRC, last I saw, it required manually running shell commands to setup the Google Cloud environment authorization with some interactive prompts that can't be automated, so it could not be done completely using a GUI. I may have to check in on it again, though. Kind of tough since I don't have an account setup to use Google Cloud, and no plans to deploy anything there.



  • @jimp

    One possible work-around for the GUI issue is having the user run the interactive prompts locally and upload the resultant file to PfSense? I assume this is a do-once step that would survive reboots, etc?

    I can certainly test if that's on the table, otherwise I may be able to create an IAM account that gives you enough permissions to test. I could also take a stab at a PR, assuming you feel the manual upload idea is workable.

    I had signed up for a gsuite account after discovering that they don't enforce their storage limits. I only recently discovered that this gives me access to a whole swaths of other Google services such as their Cloud DNS solution. Amazingly easy to use compared to GoDaddy, cheaper, and as I've discovered they do DNSSEC better (No warnings from the validation tools out there).


  • Rebel Alliance Developer Netgate

    I don't like the idea of uploading arbitrary files like that, for security reasons. Without knowing the contents/format of what it wants, it's hard to say what might be possible here, though. I don't like the idea of requiring non-GUI steps to configure pfSense-specific things like making the user run shell commands to setup auth either.



  • @jimp Got it. Let me play around with this a bit and get back to you. I assume it's just a flat file with some settings. It's possible the shell command mentioned in the ACME docs isn't required -- my understanding of ACME was that it is designed to only use shell commands -- that would necessitate running the google CLI instead of, perhaps, generating the credentials from the Google web GUI.


Log in to reply