Настраиваем Let’s Encrypt сертификат на OPNSense

- admin · 08.10.2020

Задача:

На маршрутизаторе OPNSense настроить бесплатный сертификат Let’s Encrypt с автоматическим продлением.

---------------------------------------------------------------

В OPNSense за поддержку отвечает плагин “os-acme-client“. Переходим в “System > Firmware > Plugins” и устанавливаем необходимый плагин.

Для истории приложу логи установки, можно глянуть какие пакеты дополнительно устанавливаются

***GOT REQUEST TO INSTALL: os-acme-client***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
	pkg: 1.12.0_1 -> 1.15.6

Number of packages to be upgraded: 1

4 MiB to be downloaded.
[1/1] Fetching pkg-1.15.6.txz: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading pkg from 1.12.0_1 to 1.15.6...
[1/1] Extracting pkg-1.15.6: .......... done
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 12 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	acme.sh: 2.8.7
	bind-tools: 9.16.6
	libidn2: 2.3.0_1
	libunistring: 0.9.10_1
	libuv: 1.39.0
	os-acme-client: 1.36
	py37-dns-lexicon: 3.3.28
	py37-future: 0.18.2
	py37-ply: 3.11
	py37-requests-file: 1.5.1
	py37-tldextract: 2.2.1_2
	socat: 1.7.3.4_1

Number of packages to be installed: 12

The process will require 51 MiB more space.
6 MiB to be downloaded.
[1/12] Fetching os-acme-client-1.36.txz: ........ done
[2/12] Fetching acme.sh-2.8.7.txz: .......... done
[3/12] Fetching socat-1.7.3.4_1.txz: .......... done
[4/12] Fetching bind-tools-9.16.6.txz: .......... done
[5/12] Fetching libidn2-2.3.0_1.txz: .......... done
[6/12] Fetching libunistring-0.9.10_1.txz: .......... done
[7/12] Fetching py37-ply-3.11.txz: .......... done
[8/12] Fetching libuv-1.39.0.txz: .......... done
[9/12] Fetching py37-dns-lexicon-3.3.28.txz: .......... done
[10/12] Fetching py37-tldextract-2.2.1_2.txz: ...... done
[11/12] Fetching py37-requests-file-1.5.1.txz: .. done
[12/12] Fetching py37-future-0.18.2.txz: .......... done
Checking integrity... done (0 conflicting)
[1/12] Installing libunistring-0.9.10_1...
[1/12] Extracting libunistring-0.9.10_1: .......... done
[2/12] Installing libidn2-2.3.0_1...
[2/12] Extracting libidn2-2.3.0_1: .......... done
[3/12] Installing py37-ply-3.11...
[3/12] Extracting py37-ply-3.11: .......... done
[4/12] Installing libuv-1.39.0...
[4/12] Extracting libuv-1.39.0: .......... done
[5/12] Installing py37-requests-file-1.5.1...
[5/12] Extracting py37-requests-file-1.5.1: .......... done
[6/12] Installing socat-1.7.3.4_1...
[6/12] Extracting socat-1.7.3.4_1: ......... done
[7/12] Installing bind-tools-9.16.6...
[7/12] Extracting bind-tools-9.16.6: .......... done
[8/12] Installing py37-tldextract-2.2.1_2...
[8/12] Extracting py37-tldextract-2.2.1_2: .......... done
[9/12] Installing py37-future-0.18.2...
[9/12] Extracting py37-future-0.18.2: .......... done
[10/12] Installing acme.sh-2.8.7...
===> Creating groups.
Creating group 'acme' with gid '169'.
===> Creating users
Creating user 'acme' with uid '169'.
===> Creating homedir(s)
[10/12] Extracting acme.sh-2.8.7: .......... done
[11/12] Installing py37-dns-lexicon-3.3.28...
[11/12] Extracting py37-dns-lexicon-3.3.28: .......... done
[12/12] Installing os-acme-client-1.36...
[12/12] Extracting os-acme-client-1.36: .......... done
Stopping configd...done
Starting configd.
Migrated OPNsense\AcmeClient\AcmeClient from 0.0.0 to 1.6.2
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/AcmeClient: OK
=====
Message from acme.sh-2.8.7:

--
This script will create the following directories if they do not exist:

 ~acme/.acme.sh
 ~acme/certs

The script will also install ~acme/.acme.sh/account.conf.sample which has
sane defaults.  Copy this to ~acme/.acme.sh/account.conf and edit contents
to suit.

In the /usr/local/share/examples/acme.sh directory, you can find the dnsapi 
scripts which will be useful if you decide to use dns-01 challenges. Also 
included are the deploy scripts.

A newsyslog.conf sample file is provided at /usr/local/share/examples/acme.sh/acme.sh.conf
and you could create a symlink from that to /usr/local/etc/newsyslog.conf.d/

Your sample cronjob looks like this:

############################################################################
$ sudo crontab -l -u acme
# use /bin/sh to run commands, overriding the default set by cron
SHELL=/bin/sh
# mail any output to here, no matter whose crontab this is
MAILTO=dan@example.org

7 22 * * * /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh > /dev/null
############################################################################

Change x & y to some minute and hour of the day.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

Переходим к настройкам: Services > Let’s Encrypt > Accounts