PfSense ACME 0.1.23 Package Google Cloud DNS Question

armouredking

I scrolled through the GUI list but didn't see Google Cloud in there. I don't think nsupdate will work but I do know that Google has a system for updating remotely. Is there support for Google's Cloud DNS or will there be any added in the future?

homer2320776

You have to set it to DNS-Manual for the time being. It'll give you the details you need to use to make a TXT DNS Record for verification.

armouredking

@homer2320776:

You have to set it to DNS-Manual for the time being. It'll give you the details you need to use to make a TXT DNS Record for verification.

I'm not going to manually do anything for an intended automation system. Work smarter not harder. I will continue using CloudFlare if I must, but I'm attempting to integrate my hosting under the Google umbrella for easier management. Domain registrar, DNS, GApps for Business, etc.

The question I asked is whether or not support is possible or intended and if so when.

jimp

We support the providers supported by the acme.sh project. I don't see anything in their repository or issues about Google Cloud, so it's possible they are not planning support for it or there is no viable API to use it.

armouredking

Ugh, there was an issue for it but it's now closed. 15 days ago. I remember it from last year and assumed it would have been added by now. Guess CloudFlare will have to be it.

eduardr

I'm also considering Google Cloud DNS as a possible service to switch to, and based on the claim below that adding a dns api script should be "easy" and the extensive Google Cloud DNS API, I won't rule out Google Cloud DNS yet. Something I plan on looking into over the next few weeks. I don't know yet whether the Google Cloud DNS api relies on installing certain Google scripts/libraries which may or may not be feasible to run on pfSense machines.

https://github.com/Neilpang/acme.sh

"If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a Pull Request and contribute it to the project."

Tantamount

@jimp Bringing this thread back from the dead...

It looks like they have support for Google Cloud DNS now (#49 in their list):
https://github.com/Neilpang/acme.sh/wiki/dnsapi#49-use-google-cloud-dns-api-to-automatically-issue-cert

I didn't see it as a choice when I installed the 0.6.2 package today. Is there something about this provider that doesn't work with pfsense or freebsd? The last commit to the code was back in May (apparently updated to better support *BSD): https://github.com/Neilpang/acme.sh/commit/145b1f4fb3cbeafa167d86f8f6004df194e5cd55

jimp

IIRC, last I saw, it required manually running shell commands to setup the Google Cloud environment authorization with some interactive prompts that can't be automated, so it could not be done completely using a GUI. I may have to check in on it again, though. Kind of tough since I don't have an account setup to use Google Cloud, and no plans to deploy anything there.

Tantamount

@jimp

One possible work-around for the GUI issue is having the user run the interactive prompts locally and upload the resultant file to PfSense? I assume this is a do-once step that would survive reboots, etc?

I can certainly test if that's on the table, otherwise I may be able to create an IAM account that gives you enough permissions to test. I could also take a stab at a PR, assuming you feel the manual upload idea is workable.

I had signed up for a gsuite account after discovering that they don't enforce their storage limits. I only recently discovered that this gives me access to a whole swaths of other Google services such as their Cloud DNS solution. Amazingly easy to use compared to GoDaddy, cheaper, and as I've discovered they do DNSSEC better (No warnings from the validation tools out there).

jimp

I don't like the idea of uploading arbitrary files like that, for security reasons. Without knowing the contents/format of what it wants, it's hard to say what might be possible here, though. I don't like the idea of requiring non-GUI steps to configure pfSense-specific things like making the user run shell commands to setup auth either.

Tantamount

@jimp Got it. Let me play around with this a bit and get back to you. I assume it's just a flat file with some settings. It's possible the shell command mentioned in the ACME docs isn't required -- my understanding of ACME was that it is designed to only use shell commands -- that would necessitate running the google CLI instead of, perhaps, generating the credentials from the Google web GUI.

user1234

@jimp Logging into gcloud without any user interaction is definitely possible. If you would allow, in the pfSense GUI, for users to configure a service account key for Google Cloud DNS, that key could:

be written to disk and it's path saved in the GOOGLE_APPLICATION_CREDENTIALS environment variable. gcloud picks up on this environment variable to pinpoint the location of the credentials file, which it uses to authenticate all outgoing requests. Using this method, no change would be required in the acme-sh Google Cloud DNS script. More details in google cloud's documentation.
be saved into an environment variable passed and then passed as an argument to the acme-sh Google Cloud DNS script which would use it to authenticate gcloud: echo $SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --key file -. Obviously, this would entail updating the acme-sh script to perform this action.

I'm new to this community and would love to contribute to see this integration happen. Of the above two solutions, which one would you find acceptable?

user1234

@user1234 said in PfSense ACME 0.1.23 Package Google Cloud DNS Question:

@jimp Logging into gcloud without any user interaction is definitely possible. If you would allow, in the pfSense GUI, for users to configure a service account key for Google Cloud DNS, that key could:

be written to disk and it's path saved in the GOOGLE_APPLICATION_CREDENTIALS environment variable. gcloud picks up on this environment variable to pinpoint the location of the credentials file, which it uses to authenticate all outgoing requests. Using this method, no change would be required in the acme-sh Google Cloud DNS script. More details in google cloud's documentation.

be saved into an environment variable passed and then passed as an argument to the acme-sh Google Cloud DNS script which would use it to authenticate gcloud: echo $SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --key file -. Obviously, this would entail updating the acme-sh script to perform this action.

I'm new to this community and would love to contribute to see this integration happen. Of the above two solutions, which one would you find acceptable?

I was mistaken, the first method of authentication refers to using Google API SDKs. The second one, however, is valid. It is documented here.

The acme-sh wiki also mentions that gcloud will use the default configuration which they do not in any way alter. A gcloud configuration is a saved named preset of a SDK properties.

SDK properties can be set via:

gcloud itself, documented here.
environment variables, documented here.

To summarize the above, in order to authenticate and configure gcloud so that the acme-sh script does not require running the interactive gcloud init, you would have to:

run echo ¨$GCP_SERVICE_ACCOUNT_KEY_VALUE¨ | gcloud auth activate-service-account --key-file -. Where GCP_SERVICE_ACCOUNT_KEY_VALUE contains the value of Google Cloud Service Account key file (creating service account keys).
configure the required gcloud properties to run the commands used in the script. These properties most certainly include the GCP project value. Configuration can be performed either of the above described methods: gcloud config set; environment variables.

None of these steps are interactive. I work a lot with Google Cloud, their SDKs, services and APIs. While the acme-sh wiki Google Cloud DNS is correct to recommend gcloud init to perform authentication and configuration, this is most certainly, as documented by Google, not the only way to do it. CI / CD environments, similar to the use-case here, have a different flow, as I have explained above.

So, I will firstly create a PR to fix documentation in the acme-sh repository so that it is less confusing to people looking to set acme up for working with Google Cloud DNS in a non interactive manner.

Secondly, if there is any way I can help make the above changes to enable the Google Cloud DNS integration in pfSense ACME, I would love to lend a hand.

rbron01

@user1234 What this resolved in the end? I am also looking in how to do this.

heitbaum

@rbron01 - I saw your post and was having the same issue last night. I created a couple of PRs that hopefully head in the right direction for both Google ACME support and GoogleDomain support.

https://github.com/pfsense/FreeBSD-ports/pull/1246 (tested as working)
https://github.com/pfsense/FreeBSD-ports/pull/1247 (waiting on upstream)

rbron01

@heitbaum
Netgate mentioned in a tweet to me that development is working on it.

However did not see any movement on it :).

user1234

@rbron01 I opened a PR with acme.sh which collected dust for 2 years… having grown tired of seeing it in my GitHub dashboard, I deleted my fork and closed the PR a few weeks ago. A bit silly, all it took was a button to get it merged.

Here’s the PR: https://github.com/acmesh-official/acme.sh/pull/3532.