Update SSL Certificate from command line



  • I use Letsencrypt wildcard certificates. I need to update the certificate every 90 days. Is there a way to script uploading the new certificate, changing the WebUI to use the new certs, delete the ones and restart the WebUI?

    I'm fairly certain that executing /etc/rc.restart_webgui will restart the UI, but is there any way to transfer the certificates? I found scping the certificates didn't work properly.


  • LAYER 8 Global Moderator

    doesn't the ACME package take care of all of this for you?



  • I'm sorry for being unclear! The certificates are generated on another machine.


  • LAYER 8 Global Moderator

    Again why would you not just use the ACME package? Are you saying your pfsense has no access to internet?

    Then why go through all this hassle - every 90 days. Why not just use your own CA, create a cert for 10 years and trust the CA?



  • @johnpoz said in Update SSL Certificate from command line:

    Again why would you not just use the ACME package?

    If you want an example: Not every hosting company supports RFC2136 style DNS updates, in that case it seems you cannot use the ACME package if you want automatic renewals. I did manage to get around that on a different device, but I have no idea if the ACME package for pfSense can be reconfigured for DIY solutions.

    My setup looks like this: Raspberry Pi with certbot-auto, two bash-scripts that deal with the TXT-record for verification and one PHP-script that's on the webserver with the hostingcompany and has access to CMD_API_DNS_CONTROL (Direct Admin).

    The first bash script (started by certbot-auto just before the actual verification) calls the PHP-script to create the TXT-record for DNS verification, the value of that record is placed in a variable by certbot-auto which is picked up by the bash-scripts and put in the url that calls the PHP-script which then creates the TXT-record. Then the script waits till the dig-command can confirm the DNS-server has picked up the just created TXT-record. After the script ends certbot-auto does the actual verification, followed by the execution of bash-script number two that calls the PHP-script to remove the TXT-record.

    Unless the ACME-package can do that, I'd also like to know if it is possible to scp certificates to pfSense from a different device and then reload the webinterface with the new certificates, from console.


  • LAYER 8 Netgate

    Get/spin up a DNS service that supports RFC2136 and have all your hosts update that instead of using whatever happens to be available at the various datacenters.

    https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html



  • @derelict said in Update SSL Certificate from command line:

    Get/spin up a DNS service that supports RFC2136 and have all your hosts update that instead of using whatever happens to be available at the various datacenters.

    https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html

    That means setting up a 2nd DNS service, while the current one works just fine, only in a different way. The only thing that needs to be done (in my case that is) is calling a specific url before verification with the value of the TXT-record in it and another url for deletion afterwards. Can't something like that be done by the ACME package?

    And there's still no answer to the original question of this topic ;). After a bunch of Googling I did end up finding https://forum.netgate.com/topic/95774/automating-certificate-imports-with-letencrypt-script , but I can't get sed to work: "extra characters after command", plus I found several more questions (dating back years) about managing certificates from the console.


  • LAYER 8 Global Moderator

    Who exactly access your pfsense webgui? Why would you not just put in your own cert via your own trust CA, make it good for 10 years and be done with it?


  • LAYER 8 Netgate

    Sometimes something off the firewall is the best solution.

    That URL was just an example of how you can do your own. There are services you can buy for sure. I know hurricane is at least thinking about implementing RFC2136.

    Until then their regular dyndns is supported in the ACME package. It's free and don't cost nothin. You don't HAVE to use RFC2136.



  • @johnpoz said in Update SSL Certificate from command line:

    Who exactly access your pfsense webgui? Why would you not just put in your own cert via your own trust CA, make it good for 10 years and be done with it?

    Only me, so I initially started using a certificate signed by pfSense configured as CA, but I do would like to see a solution for this. If someone can explain why the sed command in the other topic is giving the error I mentioned I could use that method to add a wildcard certificate from and requested by the Raspberry Pi to pfSense's config file.



  • Well, I ended up making a script of my own and it looks like I've got it working :) , but I'll check again once there's a newer wildcard certificate. The script I made assumes the current certificate and key are stored in text-files, encoded just like in config.xml. Using the contents of those files, a simple search and replace of the certificate and key can be done. There's no need to look for some kind of pattern in config.xml like the script from the other topic, it's just looking for two specific strings and replace them.

    For those who'd like to try it:

    #!/bin/bash
    host="ipaddress"
    username="username"
    password="password"
    certificate="certificate.pem"
    privatekey="privatekey.pem"
    oldcertificate=$(<certificate.crt.old.txt)
    oldprivatekey=$(<certificate.key.old.txt)
    
    mv $certificate $certificate.combo
    csplit -f $certificate.part $certificate.combo '/-----BEGIN CERTIFICATE-----/' '{*}'
    
    for file in $certificate.part*;
    do echo "Processing $file file..";
    output=$(openssl x509 -noout -subject -in $file);
    if [[ $output = *CN=*.* ]]
    then
            mv $file certificate.pem
    fi
    if [[ $output = *Authority* ]]
    then
            mv $file CA_LetsEncrypt.pem
    fi
    done
    
    cert=$(base64 $certificate)
    cert=$(echo $cert | sed "s/ //g")
    key=$(base64 $privatekey)
    key=$(echo $key | sed "s/ //g")
    
    sshpass -p $password scp $username@$host:/conf/config.xml config.xml
    
    if grep "$cert" config.xml > /dev/null
    then
        echo "Identical certificate found, renewal not required"
    else
        echo "Certificate not found, renewal required"
        sed -i -e "s|$oldcertificate|$cert|g" config.xml
        sed -i -e "s|$oldprivatekey|$key|g" config.xml
        echo $cert > certificate.crt.old.txt
        echo $key > certificate.key.old.txt
        sshpass -p $password scp config.xml $username@$host:/conf/config.xml
        sshpass -p $password ssh $username@$host rm /tmp/config.cache
        sshpass -p $password ssh $username@$host /etc/rc.restart_webgui
        find . -size  0 -name $certificate.part* -print0 |xargs -0 rm --
        rm $certificate.combo
        rm certificate.pem
        rm privatekey.pem
        rm CA_LetsEncrypt.pem
        rm config.xml
    fi
    
    


  • This post is deleted!


  • @bartgrefte said in Update SSL Certificate from command line:

    Well, I ended up making a script of my own and it looks like I've got it working :) , but I'll check again once there's a newer wildcard certificate. The script I made assumes the current certificate and key are stored in text-files, encoded just like in config.xml. Using the contents of those files, a simple search and replace of the certificate and key can be done. There's no need to look for some kind of pattern in config.xml like the script from the other topic, it's just looking for two specific strings and replace them.

    For those who'd like to try it:

    #!/bin/bash
    host="ipaddress"
    username="username"
    password="password"
    certificate="certificate.pem"
    privatekey="privatekey.pem"
    oldcertificate=$(<certificate.crt.old.txt)
    oldprivatekey=$(<certificate.key.old.txt)
    
    mv $certificate $certificate.combo
    csplit -f $certificate.part $certificate.combo '/-----BEGIN CERTIFICATE-----/' '{*}'
    
    for file in $certificate.part*;
    do echo "Processing $file file..";
    output=$(openssl x509 -noout -subject -in $file);
    if [[ $output = *CN=*.* ]]
    then
            mv $file certificate.pem
    fi
    if [[ $output = *Authority* ]]
    then
            mv $file CA_LetsEncrypt.pem
    fi
    done
    
    cert=$(base64 $certificate)
    cert=$(echo $cert | sed "s/ //g")
    key=$(base64 $privatekey)
    key=$(echo $key | sed "s/ //g")
    
    sshpass -p $password scp $username@$host:/conf/config.xml config.xml
    
    if grep "$cert" config.xml > /dev/null
    then
        echo "Identical certificate found, renewal not required"
    else
        echo "Certificate not found, renewal required"
        sed -i -e "s|$oldcertificate|$cert|g" config.xml
        sed -i -e "s|$oldprivatekey|$key|g" config.xml
        echo $cert > certificate.crt.old.txt
        echo $key > certificate.key.old.txt
        sshpass -p $password scp config.xml $username@$host:/conf/config.xml
        sshpass -p $password ssh $username@$host rm /tmp/config.cache
        sshpass -p $password ssh $username@$host /etc/rc.restart_webgui
        find . -size  0 -name $certificate.part* -print0 |xargs -0 rm --
        rm $certificate.combo
        rm certificate.pem
        rm privatekey.pem
        rm CA_LetsEncrypt.pem
        rm config.xml
    fi
    
    

    hi @bartgrefte , i had spent a lot time looking for something like that...
    the solution on that topic https://forum.netgate.com/topic/95774/automating-certificate-imports-with-letencrypt-script . not run for me too
    I have an enviroment similar, we generate certificates in a particular server but i need to copy them to another servers in cuestion, for example haproxy, captive portal(over pfsense) (on linux postfix, dovecot, apache webserver realy is easy to import/overwrite files directly and restart), and many others in my internal net without internet access on they, so the acme alone by command line i'm not shure if can be work on internal server and integrate it with the server were the certificate are beig generate.
    On pfsense all are in the xml config and here is were become more complex to me.

    Correctme please, at least to my understanding acme client go to internet letsencrypt services ...validate domain by any method and generate certificate if all are fine...it cam be integrate in same server with many services...,to here fine. ok so whats happend in another pfsense were wee need these certificate too?

    I found another small script writen in php wich it cam be import a certificate including the own system libraries of pfsense on it...
    https://github.com/zxsecurity/pfsense-import-certificate
    with some adjuntemens maby it can run that we wants..
    i had tested it in this afternoon but the name in description cam confuse to the other services because enter a name diferent each time certificate are imported with date time in name descritcion.. can u take a look at here
    tomorrow i will a test your script

    regards
    and sorry about my english



  • @luisenrique said in Update SSL Certificate from command line:

    Correctme please, at least to my understanding acme client go to internet letsencrypt services ...validate domain by any method and generate certificate if all are fine...it cam be integrate in same server with many services...,to here fine. ok so whats happend in another pfsense were wee need these certificate too?

    I am using a Raspberry Pi with certbot-auto to get a wildcard certificate, so it's valid for any device using my domainname. For example pfsense.domainname.com, switch.domainname.com and webmin.domainname.com to name some.

    The only device doing the validating is the Raspberry Pi, the certificate is copied from there. The devices using that certificate don't have to validate it because the Raspberry Pi has already done that.

    Once I got certbot-auto working, it's basically just a matter of copying and importing the certificate and key from (in my case) the Raspberry Pi to other devices.

    If you've got another pfSense install, just modify the script to connect to that one.



  • @bartgrefte said in Update SSL Certificate from command line:

    Once I got certbot-auto working, i

    Hi i was testing u script last friday so i geting somes issues, tomorrow i will tell exactly.. i'm at home rigth now.
    I really do not understand at all, in all or almost all the post I read that acme package does the job of importing the certificate, but my other devices are without connection to the internet, some think like you are describe. it is clear to me that those options are there in the code of acme package to import it into the pfsense interface, but the question would be that parameter is passed for the case that is not to validate or renew the certificate and this only download or copy from or to another devise without internet conection like internal intranet.
    thanks.



  • how about, installing ssl cert in debian os


Log in to reply