Update SSL Certificate from command line

berbec · Jul 6, 2018, 2:10 AM

I use Letsencrypt wildcard certificates. I need to update the certificate every 90 days. Is there a way to script uploading the new certificate, changing the WebUI to use the new certs, delete the ones and restart the WebUI?

I'm fairly certain that executing /etc/rc.restart_webgui will restart the UI, but is there any way to transfer the certificates? I found scping the certificates didn't work properly.

johnpoz · Jul 6, 2018, 2:22 AM

doesn't the ACME package take care of all of this for you?

berbec · Jul 6, 2018, 3:06 AM

I'm sorry for being unclear! The certificates are generated on another machine.

johnpoz · Jul 6, 2018, 9:27 AM

Again why would you not just use the ACME package? Are you saying your pfsense has no access to internet?

Then why go through all this hassle - every 90 days. Why not just use your own CA, create a cert for 10 years and trust the CA?

bartgrefte · Aug 5, 2018, 12:59 PM

@johnpoz said in Update SSL Certificate from command line:

Again why would you not just use the ACME package?

If you want an example: Not every hosting company supports RFC2136 style DNS updates, in that case it seems you cannot use the ACME package if you want automatic renewals. I did manage to get around that on a different device, but I have no idea if the ACME package for pfSense can be reconfigured for DIY solutions.

My setup looks like this: Raspberry Pi with certbot-auto, two bash-scripts that deal with the TXT-record for verification and one PHP-script that's on the webserver with the hostingcompany and has access to CMD_API_DNS_CONTROL (Direct Admin).

The first bash script (started by certbot-auto just before the actual verification) calls the PHP-script to create the TXT-record for DNS verification, the value of that record is placed in a variable by certbot-auto which is picked up by the bash-scripts and put in the url that calls the PHP-script which then creates the TXT-record. Then the script waits till the dig-command can confirm the DNS-server has picked up the just created TXT-record. After the script ends certbot-auto does the actual verification, followed by the execution of bash-script number two that calls the PHP-script to remove the TXT-record.

Unless the ACME-package can do that, I'd also like to know if it is possible to scp certificates to pfSense from a different device and then reload the webinterface with the new certificates, from console.

Derelict · Aug 5, 2018, 5:55 PM

Get/spin up a DNS service that supports RFC2136 and have all your hosts update that instead of using whatever happens to be available at the various datacenters.

https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html

bartgrefte · Aug 6, 2018, 8:56 AM

@derelict said in Update SSL Certificate from command line:

Get/spin up a DNS service that supports RFC2136 and have all your hosts update that instead of using whatever happens to be available at the various datacenters.

https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html

That means setting up a 2nd DNS service, while the current one works just fine, only in a different way. The only thing that needs to be done (in my case that is) is calling a specific url before verification with the value of the TXT-record in it and another url for deletion afterwards. Can't something like that be done by the ACME package?

And there's still no answer to the original question of this topic ;). After a bunch of Googling I did end up finding https://forum.netgate.com/topic/95774/automating-certificate-imports-with-letencrypt-script , but I can't get sed to work: "extra characters after command", plus I found several more questions (dating back years) about managing certificates from the console.

johnpoz · Aug 6, 2018, 8:58 AM

Who exactly access your pfsense webgui? Why would you not just put in your own cert via your own trust CA, make it good for 10 years and be done with it?

Derelict · Aug 6, 2018, 9:03 AM

Sometimes something off the firewall is the best solution.

That URL was just an example of how you can do your own. There are services you can buy for sure. I know hurricane is at least thinking about implementing RFC2136.

Until then their regular dyndns is supported in the ACME package. It's free and don't cost nothin. You don't HAVE to use RFC2136.

bartgrefte · Aug 7, 2018, 5:00 PM

@johnpoz said in Update SSL Certificate from command line:

Who exactly access your pfsense webgui? Why would you not just put in your own cert via your own trust CA, make it good for 10 years and be done with it?

Only me, so I initially started using a certificate signed by pfSense configured as CA, but I do would like to see a solution for this. If someone can explain why the sed command in the other topic is giving the error I mentioned I could use that method to add a wildcard certificate from and requested by the Raspberry Pi to pfSense's config file.

bartgrefte · Feb 1, 2019, 4:41 AM

Well, I ended up making a script of my own and it looks like I've got it working :) , but I'll check again once there's a newer wildcard certificate. The script I made assumes the current certificate and key are stored in text-files, encoded just like in config.xml. Using the contents of those files, a simple search and replace of the certificate and key can be done. There's no need to look for some kind of pattern in config.xml like the script from the other topic, it's just looking for two specific strings and replace them.

For those who'd like to try it:

#!/bin/bash
host="ipaddress"
username="username"
password="password"
certificate="certificate.pem"
privatekey="privatekey.pem"
oldcertificate=$(<certificate.crt.old.txt)
oldprivatekey=$(<certificate.key.old.txt)

mv $certificate $certificate.combo
csplit -f $certificate.part $certificate.combo '/-----BEGIN CERTIFICATE-----/' '{*}'

for file in $certificate.part*;
do echo "Processing $file file..";
output=$(openssl x509 -noout -subject -in $file);
if [[ $output = *CN=*.* ]]
then
        mv $file certificate.pem
fi
if [[ $output = *Authority* ]]
then
        mv $file CA_LetsEncrypt.pem
fi
done

cert=$(base64 $certificate)
cert=$(echo $cert | sed "s/ //g")
key=$(base64 $privatekey)
key=$(echo $key | sed "s/ //g")

sshpass -p $password scp $username@$host:/conf/config.xml config.xml

if grep "$cert" config.xml > /dev/null
then
    echo "Identical certificate found, renewal not required"
else
    echo "Certificate not found, renewal required"
    sed -i -e "s|$oldcertificate|$cert|g" config.xml
    sed -i -e "s|$oldprivatekey|$key|g" config.xml
    echo $cert > certificate.crt.old.txt
    echo $key > certificate.key.old.txt
    sshpass -p $password scp config.xml $username@$host:/conf/config.xml
    sshpass -p $password ssh $username@$host rm /tmp/config.cache
    sshpass -p $password ssh $username@$host /etc/rc.restart_webgui
    find . -size  0 -name $certificate.part* -print0 |xargs -0 rm --
    rm $certificate.combo
    rm certificate.pem
    rm privatekey.pem
    rm CA_LetsEncrypt.pem
    rm config.xml
fi

luisenrique · Feb 1, 2019, 4:33 AM

This post is deleted!

luisenrique · Feb 1, 2019, 4:41 AM

@bartgrefte said in Update SSL Certificate from command line:

Well, I ended up making a script of my own and it looks like I've got it working :) , but I'll check again once there's a newer wildcard certificate. The script I made assumes the current certificate and key are stored in text-files, encoded just like in config.xml. Using the contents of those files, a simple search and replace of the certificate and key can be done. There's no need to look for some kind of pattern in config.xml like the script from the other topic, it's just looking for two specific strings and replace them.

For those who'd like to try it:

#!/bin/bash
host="ipaddress"
username="username"
password="password"
certificate="certificate.pem"
privatekey="privatekey.pem"
oldcertificate=$(<certificate.crt.old.txt)
oldprivatekey=$(<certificate.key.old.txt)

mv $certificate $certificate.combo
csplit -f $certificate.part $certificate.combo '/-----BEGIN CERTIFICATE-----/' '{*}'

for file in $certificate.part*;
do echo "Processing $file file..";
output=$(openssl x509 -noout -subject -in $file);
if [[ $output = *CN=*.* ]]
then
        mv $file certificate.pem
fi
if [[ $output = *Authority* ]]
then
        mv $file CA_LetsEncrypt.pem
fi
done

cert=$(base64 $certificate)
cert=$(echo $cert | sed "s/ //g")
key=$(base64 $privatekey)
key=$(echo $key | sed "s/ //g")

sshpass -p $password scp $username@$host:/conf/config.xml config.xml

if grep "$cert" config.xml > /dev/null
then
    echo "Identical certificate found, renewal not required"
else
    echo "Certificate not found, renewal required"
    sed -i -e "s|$oldcertificate|$cert|g" config.xml
    sed -i -e "s|$oldprivatekey|$key|g" config.xml
    echo $cert > certificate.crt.old.txt
    echo $key > certificate.key.old.txt
    sshpass -p $password scp config.xml $username@$host:/conf/config.xml
    sshpass -p $password ssh $username@$host rm /tmp/config.cache
    sshpass -p $password ssh $username@$host /etc/rc.restart_webgui
    find . -size  0 -name $certificate.part* -print0 |xargs -0 rm --
    rm $certificate.combo
    rm certificate.pem
    rm privatekey.pem
    rm CA_LetsEncrypt.pem
    rm config.xml
fi

hi @bartgrefte , i had spent a lot time looking for something like that...
the solution on that topic https://forum.netgate.com/topic/95774/automating-certificate-imports-with-letencrypt-script . not run for me too
I have an enviroment similar, we generate certificates in a particular server but i need to copy them to another servers in cuestion, for example haproxy, captive portal(over pfsense) (on linux postfix, dovecot, apache webserver realy is easy to import/overwrite files directly and restart), and many others in my internal net without internet access on they, so the acme alone by command line i'm not shure if can be work on internal server and integrate it with the server were the certificate are beig generate.
On pfsense all are in the xml config and here is were become more complex to me.

Correctme please, at least to my understanding acme client go to internet letsencrypt services ...validate domain by any method and generate certificate if all are fine...it cam be integrate in same server with many services...,to here fine. ok so whats happend in another pfsense were wee need these certificate too?

I found another small script writen in php wich it cam be import a certificate including the own system libraries of pfsense on it...
https://github.com/zxsecurity/pfsense-import-certificate
with some adjuntemens maby it can run that we wants..
i had tested it in this afternoon but the name in description cam confuse to the other services because enter a name diferent each time certificate are imported with date time in name descritcion.. can u take a look at here
tomorrow i will a test your script

regards
and sorry about my english

bartgrefte · Feb 4, 2019, 1:59 AM

@luisenrique said in Update SSL Certificate from command line:

Correctme please, at least to my understanding acme client go to internet letsencrypt services ...validate domain by any method and generate certificate if all are fine...it cam be integrate in same server with many services...,to here fine. ok so whats happend in another pfsense were wee need these certificate too?

I am using a Raspberry Pi with certbot-auto to get a wildcard certificate, so it's valid for any device using my domainname. For example pfsense.domainname.com, switch.domainname.com and webmin.domainname.com to name some.

The only device doing the validating is the Raspberry Pi, the certificate is copied from there. The devices using that certificate don't have to validate it because the Raspberry Pi has already done that.

Once I got certbot-auto working, it's basically just a matter of copying and importing the certificate and key from (in my case) the Raspberry Pi to other devices.

If you've got another pfSense install, just modify the script to connect to that one.

luisenrique · Feb 4, 2019, 1:59 AM

@bartgrefte said in Update SSL Certificate from command line:

Once I got certbot-auto working, i

Hi i was testing u script last friday so i geting somes issues, tomorrow i will tell exactly.. i'm at home rigth now.
I really do not understand at all, in all or almost all the post I read that acme package does the job of importing the certificate, but my other devices are without connection to the internet, some think like you are describe. it is clear to me that those options are there in the code of acme package to import it into the pfsense interface, but the question would be that parameter is passed for the case that is not to validate or renew the certificate and this only download or copy from or to another devise without internet conection like internal intranet.
thanks.

marksantos · Mar 12, 2019, 1:45 PM

how about, installing ssl cert in debian os

Callan05 · May 29, 2019, 8:20 AM

@bartgrefte HI Bart, is this still your latest version of this script?
I just installed a LE wildcart cert manually into PFSense and would like to automate this from my other machine where the LE client runs.

Thanks,
Callan

bartgrefte · May 29, 2019, 8:20 AM

@Callan05 said in Update SSL Certificate from command line:

@bartgrefte HI Bart, is this still your latest version of this script?
I just installed a LE wildcart cert manually into PFSense and would like to automate this from my other machine where the LE client runs.

Thanks,
Callan

Yep, it is, haven't had the need to change it. Still works :)

bartgrefte · Oct 9, 2019, 4:53 PM

@Callan05 I updated the script a little bit, now it's no longer necessary to look up the old certificate and key, the script does that itself :) One thing needs to be checked, the name of the certificate to replace in pfSense, in this script the name contains "WebConfCA". If it's called different, that needs to be replaced.

#!/bin/bash
host="ipaddress"
username="username"
password="password"
certificate="certificate.pem"
privatekey="privatekey.pem"

mv $certificate $certificate.combo
csplit -f $certificate.part $certificate.combo '/-----BEGIN CERTIFICATE-----/' '{*}'

for file in $certificate.part*;
do echo "Processing $file file..";
output=$(openssl x509 -noout -subject -in $file);
if [[ $output = *CN*=*.* ]]
then
        mv $file certificate.pem
fi
if [[ $output = *Authority* ]]
then
        mv $file CA_LetsEncrypt.pem
fi
done

cert=$(base64 $certificate)
cert=$(echo $cert | sed "s/ //g")
key=$(base64 $privatekey)
key=$(echo $key | sed "s/ //g")

sshpass -p $password scp $username@$host:/conf/config.xml config.xml
oldcertificate=$(grep -A4 -P 'WebConfCA' config.xml | awk '/<crt>/ { print $1}' | sed "s|<crt>||g" | sed "s|</crt>||g")
oldprivatekey=$(grep -A4 -P 'WebConfCA' config.xml | awk '/<prv>/ { print $1}' | sed "s|<prv>||g" | sed "s|</prv>||g")

if grep "$cert" config.xml > /dev/null
then
    echo "Identical certificate found, renewal not required"
else
    echo "Certificate not found, renewal required"
    sed -i -e "s|$oldcertificate|$cert|g" config.xml
    sed -i -e "s|$oldprivatekey|$key|g" config.xml
    sshpass -p $password scp config.xml $username@$host:/conf/config.xml
    sshpass -p $password ssh $username@$host rm /tmp/config.cache
    sshpass -p $password ssh $username@$host /etc/rc.restart_webgui
    find . -size  0 -name $certificate.part* -print0 |xargs -0 rm --
    rm $certificate.combo
    rm certificate.pem
    rm privatekey.pem
    rm CA_LetsEncrypt.pem
    rm config.xml
fi

bitranox · Jan 16, 2024, 9:34 AM

While the proposed solutions here involve directly editing the /conf/config.xml file with scripts, it is important to note that modifying the /conf/config.xml file directly is a delicate operation and should be approached with caution.
If you choose to install such scripts, be sure to create a backup of the /conf/config.xml file before making any changes.

I had a similar task to install tailscale certificates on the pfSense firewall and created some scripts to import that certificates on pfSense, using acme-command.sh of the acme package.

Github Repository

I might extend that repository with the great ideas and examples of that thread on demand.