security/acme-client: Request For Short Lived Certificate Support

[dsmckone1528]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [ x] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe.
I'm trialling ACME servers for an internal network and both issue certificates that expire in less than 1 day as per the developer's guidelines
Unfortunately the ACME plugin doesn't support anything less than 1 day and so a certificate issued to OPNsense expires

Describe the solution you'd like
I appreciate this topic has been raised before and there was some push back, but this was some time ago
In which case I would ask if it's possible to allow the --days option to be disabled in the certificate
Because the feedback to the previous requestors that asked about this topic was that adding another field for hours was seen as too complicated
But if the command was run without the --days option it should resolve the situation
I think what's required is a basic check to see if the option is disabled, to decide if the parameter should then be simply omitted from the command
The expiry date for the certificate could be left to the CA to decide but a renewal could be forced at any time
For instance every 8 hours as Step-CA suggest for their ACME server

Describe alternatives you've considered
Increasing the expiry length on one of the CAs doesn't work and is being looked into
Running a separate Cron job with acme.sh to renew the certificate without the --days parameter only goes so far because OPNsense is still using the older version
I've tried using lecert.php to complete the process but this isn't working for me
Even one of the examples given doesn't work
lecert.php --mode issue --all
If I run that it just returns the output for the help page
My goal was to use the import option and then restart the web UI as a workaround
Although even if this method could be made to work, it would add a lot more complexity for anyone else interested in short lived certificates

Additional context
There's an example from Small-Step, which shows how the acme.sh client can be used without the --days parameter to provide a viable solution
(https://smallstep.com/blog/private-acme-server/)
So if that could be disabled in the GUI, this should solve the problem

[fraenki]

duplicates #3479

[dsmckone1528]

That was the post I was referring to

The reason I raise this topic again is because internal CAs are designed to issue certificates with short lease times

What I'm proposing myself is a simpler alternative to what came out in the previous discussion, which is to simply omit the --days parameter when running the acme.sh command

If a check box for a renewal interval could be added to the GUI, a test could be made to see if it's enabled

Presumably even something as simple as an IF/THEN statement would work in that situation, unless you're generating the command in a more sophisticated way I suppose

But at the point of execution, a basic check could be made

If the option is enabled, run this command
/usr/local/sbin/acme.sh --renew --days '60' ...

Else, run this command
/usr/local/sbin/acme.sh --renew ...

One of the CAs I'm working with for instance issues certificates for 12 hours no matter how long you ask the expiry to be

So like the previous posters, the problem I have is that the plugin won't attempt to renew a certificate like this and so it expires

As an alternative, could you assist with a different solution to this problem?

I've setup my own Cron job to run the same acme.sh renewal command, but without the --days parameter, and it works fine with this CA

But as I'm sure you're well aware, this is only updating the files in the sub-folders of /var/etc/acme-client

What I'm missing is a means to update the certificate used by OPNsense and it doesn't look to involve a simple process of copy this file to that folder

I took a look at the lecert.php script help page and I was thinking I could use the import mode
lecert.php --mode import --cert 00000000-0000-0000-0000-000000000000

But I don't know what the ID for the certificate is

Can you point me to where I can find the UUID?

Or could I use the issue mode instead as that mentions certificate renewals?

There is an example in the help page
lecert.php --mode issue --all

But running that only outputs the help page, suggesting something is going wrong

Having said that, is that what is currently being used by the scheduler to update certificates and is returning this in the logs?
AcmeClient: issue/renewal not required for certificate