Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense ACME 0.1.23 Package Google Cloud DNS Question

    Scheduled Pinned Locked Moved ACME
    17 Posts 8 Posters 3.0k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      homer2320776
      last edited by

      You have to set it to DNS-Manual for the time being. It'll give you the details you need to use to make a TXT DNS Record for verification.

      1 Reply Last reply Reply Quote 0
      • A Offline
        armouredking
        last edited by

        @homer2320776:

        You have to set it to DNS-Manual for the time being. It'll give you the details you need to use to make a TXT DNS Record for verification.

        I'm not going to manually do anything for an intended automation system. Work smarter not harder. I will continue using CloudFlare if I must, but I'm attempting to integrate my hosting under the Google umbrella for easier management. Domain registrar, DNS, GApps for Business, etc.

        The question I asked is whether or not support is possible or intended and if so when.

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          We support the providers supported by the acme.sh project. I don't see anything in their repository or issues about Google Cloud, so it's possible they are not planning support for it or there is no viable API to use it.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          T 1 Reply Last reply Reply Quote 0
          • A Offline
            armouredking
            last edited by

            Ugh, there was an issue for it but it's now closed. 15 days ago. I remember it from last year and assumed it would have been added by now. Guess CloudFlare will have to be it.

            1 Reply Last reply Reply Quote 0
            • E Offline
              eduardr
              last edited by

              I'm also considering Google Cloud DNS as a possible service to switch to, and based on the claim below that adding a dns api script should be "easy" and the extensive Google Cloud DNS API, I won't rule out Google Cloud DNS yet. Something I plan on looking into over the next few weeks. I don't know yet whether the Google Cloud DNS api relies on installing certain Google scripts/libraries which may or may not be feasible to run on pfSense machines.

              https://github.com/Neilpang/acme.sh

              "If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a Pull Request and contribute it to the project."

              1 Reply Last reply Reply Quote 0
              • T Offline
                Tantamount @jimp
                last edited by

                @jimp Bringing this thread back from the dead...

                It looks like they have support for Google Cloud DNS now (#49 in their list):
                https://github.com/Neilpang/acme.sh/wiki/dnsapi#49-use-google-cloud-dns-api-to-automatically-issue-cert

                I didn't see it as a choice when I installed the 0.6.2 package today. Is there something about this provider that doesn't work with pfsense or freebsd? The last commit to the code was back in May (apparently updated to better support *BSD): https://github.com/Neilpang/acme.sh/commit/145b1f4fb3cbeafa167d86f8f6004df194e5cd55

                1 Reply Last reply Reply Quote 1
                • jimpJ Offline
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  IIRC, last I saw, it required manually running shell commands to setup the Google Cloud environment authorization with some interactive prompts that can't be automated, so it could not be done completely using a GUI. I may have to check in on it again, though. Kind of tough since I don't have an account setup to use Google Cloud, and no plans to deploy anything there.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  T 1 Reply Last reply Reply Quote 0
                  • T Offline
                    Tantamount @jimp
                    last edited by

                    @jimp

                    One possible work-around for the GUI issue is having the user run the interactive prompts locally and upload the resultant file to PfSense? I assume this is a do-once step that would survive reboots, etc?

                    I can certainly test if that's on the table, otherwise I may be able to create an IAM account that gives you enough permissions to test. I could also take a stab at a PR, assuming you feel the manual upload idea is workable.

                    I had signed up for a gsuite account after discovering that they don't enforce their storage limits. I only recently discovered that this gives me access to a whole swaths of other Google services such as their Cloud DNS solution. Amazingly easy to use compared to GoDaddy, cheaper, and as I've discovered they do DNSSEC better (No warnings from the validation tools out there).

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      I don't like the idea of uploading arbitrary files like that, for security reasons. Without knowing the contents/format of what it wants, it's hard to say what might be possible here, though. I don't like the idea of requiring non-GUI steps to configure pfSense-specific things like making the user run shell commands to setup auth either.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      T 1 Reply Last reply Reply Quote 0
                      • T Offline
                        Tantamount @jimp
                        last edited by

                        @jimp Got it. Let me play around with this a bit and get back to you. I assume it's just a flat file with some settings. It's possible the shell command mentioned in the ACME docs isn't required -- my understanding of ACME was that it is designed to only use shell commands -- that would necessitate running the google CLI instead of, perhaps, generating the credentials from the Google web GUI.

                        U 1 Reply Last reply Reply Quote 0
                        • U Offline
                          user1234 @Tantamount
                          last edited by

                          @jimp Logging into gcloud without any user interaction is definitely possible. If you would allow, in the pfSense GUI, for users to configure a service account key for Google Cloud DNS, that key could:

                          • be written to disk and it's path saved in the GOOGLE_APPLICATION_CREDENTIALS environment variable. gcloud picks up on this environment variable to pinpoint the location of the credentials file, which it uses to authenticate all outgoing requests. Using this method, no change would be required in the acme-sh Google Cloud DNS script. More details in google cloud's documentation.
                          • be saved into an environment variable passed and then passed as an argument to the acme-sh Google Cloud DNS script which would use it to authenticate gcloud: echo $SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --key file -. Obviously, this would entail updating the acme-sh script to perform this action.

                          I'm new to this community and would love to contribute to see this integration happen. Of the above two solutions, which one would you find acceptable?

                          U 1 Reply Last reply Reply Quote 0
                          • U Offline
                            user1234 @user1234
                            last edited by user1234

                            @user1234 said in PfSense ACME 0.1.23 Package Google Cloud DNS Question:

                            @jimp Logging into gcloud without any user interaction is definitely possible. If you would allow, in the pfSense GUI, for users to configure a service account key for Google Cloud DNS, that key could:

                            • be written to disk and it's path saved in the GOOGLE_APPLICATION_CREDENTIALS environment variable. gcloud picks up on this environment variable to pinpoint the location of the credentials file, which it uses to authenticate all outgoing requests. Using this method, no change would be required in the acme-sh Google Cloud DNS script. More details in google cloud's documentation.
                            • be saved into an environment variable passed and then passed as an argument to the acme-sh Google Cloud DNS script which would use it to authenticate gcloud: echo $SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --key file -. Obviously, this would entail updating the acme-sh script to perform this action.

                            I'm new to this community and would love to contribute to see this integration happen. Of the above two solutions, which one would you find acceptable?

                            I was mistaken, the first method of authentication refers to using Google API SDKs. The second one, however, is valid. It is documented here.

                            The acme-sh wiki also mentions that gcloud will use the default configuration which they do not in any way alter. A gcloud configuration is a saved named preset of a SDK properties.

                            SDK properties can be set via:

                            • gcloud itself, documented here.
                            • environment variables, documented here.

                            To summarize the above, in order to authenticate and configure gcloud so that the acme-sh script does not require running the interactive gcloud init, you would have to:

                            • run echo ¨$GCP_SERVICE_ACCOUNT_KEY_VALUE¨ | gcloud auth activate-service-account --key-file -. Where GCP_SERVICE_ACCOUNT_KEY_VALUE contains the value of Google Cloud Service Account key file (creating service account keys).
                            • configure the required gcloud properties to run the commands used in the script. These properties most certainly include the GCP project value. Configuration can be performed either of the above described methods: gcloud config set; environment variables.

                            None of these steps are interactive. I work a lot with Google Cloud, their SDKs, services and APIs. While the acme-sh wiki Google Cloud DNS is correct to recommend gcloud init to perform authentication and configuration, this is most certainly, as documented by Google, not the only way to do it. CI / CD environments, similar to the use-case here, have a different flow, as I have explained above.

                            So, I will firstly create a PR to fix documentation in the acme-sh repository so that it is less confusing to people looking to set acme up for working with Google Cloud DNS in a non interactive manner.

                            Secondly, if there is any way I can help make the above changes to enable the Google Cloud DNS integration in pfSense ACME, I would love to lend a hand.

                            R 1 Reply Last reply Reply Quote 1
                            • R Offline
                              rbron01 @user1234
                              last edited by

                              @user1234 What this resolved in the end? I am also looking in how to do this.

                              H U 2 Replies Last reply Reply Quote 0
                              • H Offline
                                heitbaum @rbron01
                                last edited by

                                @rbron01 - I saw your post and was having the same issue last night. I created a couple of PRs that hopefully head in the right direction for both Google ACME support and GoogleDomain support.

                                • https://github.com/pfsense/FreeBSD-ports/pull/1246 (tested as working)
                                • https://github.com/pfsense/FreeBSD-ports/pull/1247 (waiting on upstream)
                                R 1 Reply Last reply Reply Quote 0
                                • R Offline
                                  rbron01 @heitbaum
                                  last edited by

                                  @heitbaum
                                  Netgate mentioned in a tweet to me that development is working on it.

                                  However did not see any movement on it :).

                                  1 Reply Last reply Reply Quote 0
                                  • U Offline
                                    user1234 @rbron01
                                    last edited by

                                    @rbron01 I opened a PR with acme.sh which collected dust for 2 years… having grown tired of seeing it in my GitHub dashboard, I deleted my fork and closed the PR a few weeks ago. A bit silly, all it took was a button to get it merged.

                                    Here’s the PR: https://github.com/acmesh-official/acme.sh/pull/3532.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.