security/acme-client: import attempted from wrong path

[backerman]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• The title contains the plugin to which this issue belongs

Describe the bug

When a certificate challenge is passed, the certificate/key/chain/etc. are stored in /var/etc/acme-client/cert-home/(certificate ID)/(SAN)/, and the host's certificate and key files begin with the SAN. The import command attempts to find them in /var/etc/acme-client/cert-home/(certificate ID)/ with filenames that don't contain the SAN, which fails.

This functionality worked without issue in the 24.7 series.

To Reproduce
Steps to reproduce the behavior:

1. Go to the "Certificates" pane in the ACME Client menu.
2. Click the issue/renew button.
3. Check the "ACME Log" tab of the "Log Files" pane for the output paths; observe that they are as described above.
4. Check the "System Log" tab; observe that there is a file not found message for cert.pem in the wrong directory as described.

Expected behavior
The import command imports the certificate from the correct directory, and import is therefore successful.

Screenshots
If applicable, add screenshots to help explain your problem.

Relevant log files
System Log:

2025-02-15T00:17:52	opnsense	AcmeClient: unable to import certificate [SAN], file not found: /var/etc/acme-client/certs/[cert ID]/cert.pem
2025-02-14T09:42:08	opnsense	AcmeClient: failed to import certificate: [SAN]
2025-02-14T09:42:08	opnsense	AcmeClient: unable to import certificate [SAN], file not found: /var/etc/acme-client/certs/[cert ID]/cert.pem
2025-02-14T09:42:08	opnsense	AcmeClient: successfully issued/renewed certificate: [SAN]
2025-02-14T09:42:08	opnsense	AcmeClient: AcmeClient: The shell command returned exit code '0': '/usr/local/sbin/acme.sh --renew --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_azure' --dnssleep '120' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/[cert ID]' --certpath '/var/etc/acme-client/certs/[cert ID]/cert.pem' --keypath '/var/etc/acme-client/keys/[cert ID]/private.key' --capath '/var/etc/acme-client/certs/[cert ID]/chain.pem' --fullchainpath '/var/etc/acme-client/certs/[cert ID]/fullchain.pem' --domain '[SAN]' --domain '[SAN]' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/[cert ID]_prod/account.conf''

ACME Log:

2025-02-14T09:42:08	acme.sh	[Fri Feb 14 09:42:08 UTC 2025] And the full-chain cert is in: /var/etc/acme-client/cert-home/[cert ID]/[SAN]/fullchain.cer
2025-02-14T09:42:08	acme.sh	[Fri Feb 14 09:42:08 UTC 2025] The intermediate CA cert is in: /var/etc/acme-client/cert-home/[cert ID]/[SAN]/ca.cer
2025-02-14T09:42:08	acme.sh	[Fri Feb 14 09:42:08 UTC 2025] Your cert key is in: /var/etc/acme-client/cert-home/[cert ID]/[SAN]/[SAN].key
2025-02-14T09:42:08	acme.sh	[Fri Feb 14 09:42:08 UTC 2025] Your cert is in: /var/etc/acme-client/cert-home/[cert ID]/[SAN]/[SAN].cer
2025-02-14T09:42:08	acme.sh	[Fri Feb 14 09:42:08 UTC 2025] Cert success.
2025-02-14T09:42:08	acme.sh	[Fri Feb 14 09:42:08 UTC 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/[cert serial]/'

Additional context
Add any other context about the problem here.

Environment
Software version used and hardware type if relevant.
e.g.:

OPNsense 25.1.1 (amd64).
os-acme-client 4.8
acme.sh 3.1.0

[imightbelosthere]

I'm on the 24.7.12 version and I'm having the same issue on the automation.
Software versions I have:
OPNSense 24.7.12
os-acme-client 4.7
acme.sh 3.1.0

[fraenki]

The import command attempts to find them in /var/etc/acme-client/cert-home/(certificate ID)/ with filenames that don't contain the SAN, which fails.

This assumption is wrong.

The "cert-home" directory is just the working directory of the underlying acme.sh tool. The Acme Client plugin does NOT import certificates from this directory. As you can see from the System Log, it actually tries to import certificates from the "certs" directory instead.

However, there is something wrong with your Acme Client. Maybe the upgrade to Acme Client 4.0.0 has failed (one year ago). 😢 Please provide the output of the following commands:

grep 'AcmeClient version' /conf/config.xml

ls -l /var/etc/acme-client/certs/[cert ID]

[imightbelosthere]

Here it is:
<AcmeClient version="4.2.0">

the ls returned nothing...
ls -l /var/etc/acme-client/certs/
total 0

Although the certificates exist on my system and the renewal worked, just the scp to servers and my HA FW failed.

[fraenki]

@imightbelosthere This is unrelated to the original report. Please report a new issue.

[backerman]

# grep 'AcmeClient version' /conf/config.xml
    <AcmeClient version="4.2.0">
# ls -l /var/etc/acme-client/certs/(cert id)/
total 14
-rwxr-x---  1 root wheel 2159 Feb 16 08:39 cert.pem
-rwxr-x---  1 root wheel 1802 Feb 16 08:39 chain.pem
-rwxr-x---  1 root wheel 3961 Feb 16 08:39 fullchain.pem

[fraenki]

@backerman Thanks. So the files are actually available in the filesystem. 🤔 Could you try to re-import the certificate? There's a button in Services: ACME Client: Certificates for this (it should be the 4th button). Please provide the System Log afterwards.

[backerman]

The reimport button logs:

2025-03-06T22:09:46	config	AcmeClient: updated ACME X.509 certificate: (SAN) ((ID))

And nothing else, even if I set logging to the most verbose option available.

[fraenki]

So I guess... it's working now? 😕
A filesystem corruption may have caused the first failure.

Are you using the default filesystem or ZFS? You could try to run a fsck (on the default filesystem) or a scrub (on ZFS) to find filesystem defects. Previous filesystem errors may have already been resolved, fsck runs automatically on reboot if the filesystem is marked as "dirty".