Implementing custom certificates from System-Trust-Certificates

[Monviech]

This one isn't as straight forward as expected.

OPNsense doesn't store it's certificates as files, they're embedded in the config.xml with a refid. This refid can be cross referenced by using the Models "CertificateField".

General Idea what has to happen:

• [x] An rc.d action has to trigger a prestart script, that writes the certificate .pem and .key into temporary files, for example into the existing folder /usr/local/caddy/certificates. If the certificate is a bundle, the cert and ca part will be included.
• [x] Upon template generation, the certificate has to be implemented with the path /usr/local/caddy/certificates//temp/refid.pem and /usr/local/caddy/certificates/temp/refid.key into the Caddyfile

Every time a reconfigureAct is started, this kind of cycle will be triggered so the certificates are always the same as in the OPNsense Trust store.

• [x] Write a script that extracts and bundles the ca and cert into a .pem bundle and the .key too. ( https://github.com/opnsense/plugins/blob/master/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php )
• [x] Write them into the path /usr/local/etc/caddy/certificates/
• [x] Implement the path by using the refid of the certificate field. for example

  foo.example.com {
      tls /usr/local/etc/caddy/certificates/652e3b649f627.pem /usr/local/etc/caddy/certificates/652e3b649f627.key
  }

• [x] Adjust the jinja2 Caddyfile template

[Monviech]

https://github.com/Monviech/os-caddy-plugin/pull/37

[Monviech]

There has to be an option to set a certificate on handles, since Caddy doesn't allow "ignore certificate checks" anymore. If the backend server has a self signed certificate, that certificate has to be imported into the OPNsense Trust store, and then be able to be selected in the handle.

Otherwise this isn't possible: Internet <--HTTPS--> Caddy <--HTTPS--> Backend Server

Example:

foo.example.com {
        handle {
                reverse_proxy 192.168.1.1 {
                        transport http {
                                tls
                                tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/32423423.pem
                        }
                }
        }
}

• [ ] These self signed certificates or CA certificates have to be imported into "System: Trust: Authorities"
• [ ] The caddy_certificates.sh script has to write them into a temp folder with their carefid
• [ ] The Handle needs a certificatefield where a CA certificate can be chosen.
• [ ] The Caddyfile template has to implement this option as an additional nesting inside the normal domains, and the subdomains.