First of all I configured the request of a Lets encrypt certificate on the OPNsense box. As this is rather straightforward I'll skip this.
To configure the distribution from the OPNsense box to the backend (Domoticz) server isn't documented very well:
On OPNsense:
1. Go to Services >> Lets Encrypt >> Automation
2. Add a new automation and select: “Upload certificate via SFTP”
3. Provide a name, like: "Distribute.cert.HOSTNAME"
4. Provide a description: "Distribute Lets encrypt cert to backend (SERVERNAME)"
5. Run command, select: “Upload certificate via SFTP”
6. SFTP Host (of backend server): IP ADDRESS of the domoticz backend server
7. Host key: Retrieve the host key of the backend server by login on to the shell of the OPNsense box and enter following command:
Code: Select all
ssh-keyscan -t ecdsa IP ADDRESS
Code: Select all
IP address, ‘FQDN of backend’ ecdsa-sha2-nistp256 AAAAxxxxxxxxxzgoM=
8. Username: use the USERNAME of the user on the backend server with appropriate access to store certificates (for instance 'pi')
9. Identity type: RSA
10. Remote path: provide the remote path (The automation will add the certificate FQDN as a subdirectory)
Code: Select all
/etc/ssl/
11. Click on “show identity”
12. The required parameter is displayed. Insert this parameter in the authorized_keys file of the username of the remote user (pi) on the Domoticz server:
Code: Select all
sudo nano /home/pi/.ssh/authorized_keys
Once the test is successful the automation needs to be added to the certificate request process:on the OPNsense box:
14. Go to Services >> Lets Encrypt >> Certificates
15. Open the properties of the certificate for distribution to backend server
16. Add under Advanced Settings – Automations the created automation and save
17. The next time a certificate is renewed, the certificate is installed on the OPNsense box but also distributed to the backend server.
Now switch to the domoticz box by login on via ssh.
create a bash script to verify for an updated certificate and to do the magic of creating one server_cert.pem file and some other file handling.
Code: Select all
###########################################################################
# /home/pi/domoticz/scripts/bash/certhandling.sh
###########################################################################
#!/bin/bash
DIR=/etc/ssl/FQDN
DIRn=/etc/ssl/FQDN/n
DIRn1=/etc/ssl/FQDN/n-1
FILE=/etc/ssl/FQDN/key.pem
if test -f "$FILE";
then
echo Move previous certificate to backup n-1 location..
sudo mv -f ${DIR}/server_cert.pem ${DIRn1}
echo Create new PEM certificate for use in Domoticz..
sudo cat ${DIR}/key.pem >> ${DIR}/server_cert.pem
sudo cat ${DIR}/cert.pem >> ${DIR}/server_cert.pem
sudo cat ${DIR}/fullchain.pem >> ${DIR}/server_cert.pem
echo Move current Lets encrypt certificates to n location...
sudo mv -f ${DIR}/key.pem ${DIRn}
sudo mv -f ${DIR}/cert.pem ${DIRn}
sudo mv -f ${DIR}/fullchain.pem ${DIRn}
sudo mv -f ${DIR}/ca.pem ${DIRn}
echo Restart Domoticz service...
sudo /etc/init.d/domoticz.s
fi