opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
842 stars 638 forks source link

Caddy - removed unused certificates #4252

Closed roblatour closed 1 month ago

roblatour commented 1 month ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe. In trying to setup the OPNSense Caddy plug in I created, via the plugin, several certificates that are no longer required. While these appear in the Dashboard Widget 'Caddy Certificates' there does not appear to be any way to remove them via the Web Interface (they also do not show up in System - Trust - Certificates).

Describe the solution you'd like A web interface option in the Gaddy Plugin to remove/delete unused/unwanted certificates.

Describe alternatives you've considered I tried to SSH in and identify where they were stored, but could not. Also, I didn't know (assuming I could find them) if simply deleting them would suffice, or if that would cause other issues.

Additional context

Monviech commented 1 month ago

Hey there,

Its easy to find them. They are here:

https://github.com/opnsense/plugins/blob/110f48dae177830283cbf01b8b442822adb7dfcc/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py#L135

I dont want to offer any buttons that delete certificates, since I let Caddy have total control over its storage. It has its own routines and meddling with them could lead to weird behavior.

It should be safe for you to delete unwanted certificates manually though.

Monviech commented 1 month ago

I think reading this, that Caddy has own cleanup routines that will trigger at certain intervals:

https://caddyserver.com/docs/caddyfile/options#storage-clean-interval

roblatour commented 1 month ago

Thanks for the hint as to where the certificates were stored. More specifically, mine were all in found at:

/var/db/caddy/data/caddy/certificates/cleaacme-v02.api.letsencrypt.org-directory

I assume there would have been another sub directory if any were created using ZeroSSL

In any case, I've manually deleted the ones I don't need via ssh, for example: sudo rm -rf homeassit.example.com and that appears to have worked fine without any negative side effects - and the Dashboard Widget has reflected the changes without me needing to restart the web gui service as well.

All good.

Thanks again.