Differences

This shows you the differences between two versions of the page.

--- en:utility-scripts:pfxexx [2025/03/14 15:15] – Webmaster VitaNetworks
+++ en:utility-scripts:pfxexx [2025/03/14 15:46] (current) – Webmaster VitaNetworks
@@ Line 1: / Line 1: @@
 ====== pfxexx (What is this?) ======
+PFX exporter for OPNsense's ACME plugin's certificates. A bash script.
+===== Background ======
+The ACME client on OPNsense has a lot of useful utilities (such as installing certificates on Synology's DSM and automated push over SSH that though doable on other systems, each user admin has to come up with their own scheme. It's not perfect, as everything-else-OPNsense, it's poorly documented but it does the job nevertheless.
+Certain servers require PFX certificates and will refuse other formats. PFX are bundle files, that usually include the whole chain of certificates (public keys) as well as the private key of the issued certificate. Since they have a private key, they also often have a password protecting them. You may skip this password but you will still have to press return/enter to accept it //IF// the recipient server tolerates it, most will not and they will refuse it outright.
+===== How does it work? =====
+The original idea for this was to add an automation per certificate so the process would focus only on that certificate, but there's no documentation about it (on OPNsense's documentation at least) so instead it works in bulk.
+The ACME plugin creates a random directory under ''/var/etc/acme-client/certs'' where it puts the public keys and a matching directory on ''/var/etc/acme-client/keys'' where the private keys are stored. The randomness of this directory is in part why a targeted approach couldn't be made yet.
+So instead the script will:
+. Find subdirectories of:
+.1 ''/var/etc/acme-client/certs'' where it will seek the files named:
+.1.1 ''cert.pem'' and
+.1.2 ''chain.pem''
+.2 ''/var/etc/acme-client/keys'' where it will seek the file named:
+.2.1 ''private.key''
+. If all files are found under the matching directory name, it will proceed to decode the common name (cn) value of the certificate
+. It will retrieve the passphrase stored in the file referenced by variable ''pfile'', by default it's on ''/var/etc/acme-client/pfiles/std''
+. Using the CN value, and the password from pfile; it will create a new PFX file in ''/var/etc/acme-client/pfx''
+===== Installation =====
+There's nothing to install, except maybe bash since it's a bash script. The commands in the script fail if run in OPNsense's default shell.
+''/var/etc/acme-client'' is a logical location for the scripts of this kind, but much like pfSense or VyOS, OPNsense overwrites as much as it needs to during updates/upgrades except for a few safe places: ''/config'' on VyOS, ''/root'' in pfSense/OPNsense.
+You don't need to transfer files to the firewall, as out sites allow hotlinking, you can just use curl to get the script if you please. Additionally, on a non-console terminal you can paste the code (shown below). OPNsense includes the ''edit'' and ''vi'' text editors. If you've never used ''vi''/''vim'', stick to ''edit''.
+Assuming you'll be downloading to ''/var/etc/acme-client/scripts'', you need to:
+. Create a save location if it doesn't already exist:
+  mkdir -p ''/var/etc/acme-client/scripts''
+  The command above does nothing if the directory already exists.
+. Download:
+curl -o <destination-filename(-and-path)> <source-URL> e.g;
+<code bash>
+curl -o /var/etc/acme-client/scripts/pfxexx https://ref.vitanetworks.link/_export/code/en/utility-scripts/pfxexx?codeblock=0
+</code>
+===== Options/Syntax =====
+Neither of the only two options affect how the script works, they only affect the amount of ''stdout''.
+==== --unmute ====
+The script normally discards all output to avoid slowing down firewalls and reduce wearing of flash storage. This option eliminates the discarding of the minimal data it would otherwise output.
+==== --debug ====
+This is for testing the script itself, not so much about certificates. Pretty much a useless option for most people.
+===== Requirements =====
+The script must be edited or at least review to verify the variables are correct at least reviewed edite hard-coded with the variab
+<code bash [enable_line_numbers="true"] pfxexx>
+#!/usr/bin/env bash
+printOPTIONS() {
+  cat << _options
+┌────────────────────────────────────────────────────────────────────────────i─┐
+│ pfxexx — PFX Exporter for the ACME plugin on OPNsense                        │
+│ Copyright (C) 2025  Gustavo Domínguez                                        │
+│ GNU General Public License version 3                                         │
+├─────────────────────────────────────────────────────────OPTIONS/REQUIREMENTS─┤
+│ There are no real options*, only requirements:                               │
+│ 1. The script requires bash to run. To install run: 'pkg install -y bash'.   │
+│ 2. Variables must be reviewed or changed before running the script.          │
+│    - Likely the most important will be the password file, the "pfile" from   │
+│      which a password will be read in order to set it on PFX exports.        │
+│                                                                              │
+│ *: except for --unmute and --debug, neither of which affects how the script  │
+│    works in terms of exporting PFXs. See more info at:                       │
+│    https://ref.vitanetworks.link/en/utility-scripts/pfxexx                   │
+├────────────────────────────────────────────────────────────────────────────@─┤
+│ Gustavo Domínguez <deliver@senseivita.com>                                   │
+│ senseivita.com | antipostal.com | vitanetworks.link                          │
+└──────────────────────────────────────────────────────────────────────────────┘
+_options
+}
+restoreOptions(){ set +e ; set +x ; set +v;}
+enableDebugOptions(){ set -e ; set -x ; set -v;}
+trap restoreOptions ERR EXIT
+if [[ $1 =~ "debug" ]]; then enableDebugOptions; fi
+verifiedPieces=''
+cbn='/var/etc/acme-client/certs'
+kbn='/var/etc/acme-client/keys'
+ebn='/var/etc/acme-client/pfx'
+cnlist=''
+pfile='/var/etc/acme-client/pfiles/std'
+main() {
+  checkPfxExportDir() {
+    if ! [[ -d "$ebn" ]]; then
+      mkdir -p "$ebn"
+    fi
+  }
+  candidates=( "$(find "$cbn" -type d -mindepth 1 -print0 | xargs -0 basename -s "$cbn")" )
+  echo "${candidates[*]}"
+  partsCheck() {
+    for i in "${candidates[@]}"; do
+      echo "$i"
+      if [[ -f "$cbn/$i/cert.pem" ]]; then
+        echo "$cbn/$i/cert.pem"
+        if [[ -f "$cbn/$i/chain.pem" ]]; then
+          echo "$cbn/$i/chain.pem"
+          if [[ -f "$kbn/$i/private.key" ]]; then
+            echo "$kbn/$i/private.key"
+            verifiedPieces+=( "$i" )
+          else continue; fi
+        else continue; fi
+      else continue; fi
+    done
+  }
+  exportPFXs() {
+    for iset in "${verifiedPieces[@]}"; do
+      cn=$(openssl x509 -noout -subject -in "$cbn/$iset/cert.pem" | awk '{print $3}')
+      cnlist+=( "$cn" )
+      openssl pkcs12 -export -out "$ebn/$cn.pfx" -inkey "$kbn/$iset/private.key" -in "$cbn/$iset/cert.pem" -certfile "$cbn/$iset/chain.pem" -password file:"$pfile"
+    done
+  }
+  printResuts() {
+    echo Found the following certificates:
+    printf '%s\n' "${cnlist[*]}"
+  }
+if checkPfxExportDir; then
+  if partsCheck; then
+    if exportPFXs; then
+      echo "Finished successfully."
+      printResuts
+    else
+      if [[ $1 =~ "debug" ]]; then echo "Failed exportPFXs"; fi
+      exit
+    fi
+  else
+    if [[ $1 =~ "debug" ]]; then echo "Failed partsCheck"; fi
+    exit
+  fi
+else
+  if [[ $1 =~ "debug" ]]; then echo "Failed checkPfxExportDir"; fi
+  exit
+fi
+}
+while [ "$1" != "" ]; do
+  case "$1" in
+    -h|--help|--options|help) printOPTIONS ;;
+    --debug|debug) shift; main debug ;;
+    --unmute) main ;;
+    *) main > /dev/null 2>&1 ;;
+  esac
+  shift
+done
+</code>