ACME-Client (Automation to Synology issue)

[GitTimeraider]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [ X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [ X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [ X] The title contains the plugin to which this issue belongs

Describe the bug A clear and concise description of what the bug is, including last known working version (if any).

When using the automation rule "Upload certificate to Synology DSM", it fails to authenticate on the Synology NAS. The user login used is an admin account, IP and port as correctly set from DSM settings. Synology 720+ with DSM 7.2.2-72806 So far tried:

• https and https
• the actual base admin account instead of a new one
• turning off any security I had on the NAS

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce Steps to reproduce the behavior: Set up an ACME certificate renewal (which does work) Create an user on the Synolgy NAS and add him to the Administrator group Create an "Upload certificate to Synology DSM" automation rule in the ACME-client plugin UI. Try running the automation, it fails.

Expected behavior A clear and concise description of what you expected to happen. An certificate being created and/or renewed on the Synology NAS

Screenshots If applicable, add screenshots to help explain your problem.

Relevant log files If applicable, information from log files supporting your claim.

new 1.txt

Additional context Add any other context about the problem here.

Environment Router OPNsense 24.7.6-amd64 ACME plugin 4.6

NAS Synology NAS 7.2.2-72806

[GitTimeraider]

Ok.. even when I change the IP address in the automation, it still tries to authenticate against the old IP even though that automation doesnt exist anymore. I think something is going wrong there... any locations I can check out where it saves automations or something?

Every single time it runs it logs: Domain config new key exists, old key SYNO_Port='5010' has been removed. The thing is though that I for example want it to use 5010 and the UI has 5010 filled it, but then it removes that and takes a different port.. because F me I guess?

[GitTimeraider]

Ok.. found the issue. The ACME-client plugin seems to save automation settings together with the certificate settings somewhere (dont ask me where.. if I knew I would have wiped that stuff out into space already) So the only way was to make a new certificate in the ACME client and then it did pick up the changes in automation. So... why or where? Because I do NOT want to have to recreate certificates just to adjust automation rules simply because the plugin doesnt seem to be able to clean those settings up correctly.

[MarkusLandgren]

The ACME-client plugin seems to save automation settings together with the certificate settings somewhere (dont ask me where.. if I knew I would have wiped that stuff out into space already)

I have been struggling with the same thing, but was able to find the saved parameters in the file located with:

find /var/etc/acme-client/cert-home/ -name "*.conf" | xargs grep SYNO

Editing that file allowed me to run the automation with the desired port and other parameters. I have not found a proper way of doing this through the web UI.

[JoTec2002]

Same issue here - especially problematic since I want to deploy the same cert to two different NAS Systems. For the second NAS allways the saved values are used.

Is it maybe possible to deactivate the saving of the Environment variables?

[JerryFrum]

Same exact error/issue here. Even if you remove the automation and create a brand new one, it seems to still ignore the port. So when I looked at the .conf file for my certificate (using what MarkusLandgren gave command wise), it showed that I did create a new automation to use HTTPS (from default HTTP) but despite putting in port 5001, it wouldn’t change what’s in the conf file as 5000. Manually editing the .conf for that cert fixed things.

I’m going to try creating a new cert to see if its because I originally created the certs when the automation was using HTTP and port 5000, but then changed it later but it was already stuck using 5000 and ignored any future changes to different ports. 24.7.7 with 4.6 Acme client.

Used this command once I found all the port 5000 ones which should be 5001 and ran this to change them all:

find /var/etc/acme-client/cert-home/ -type f -name "*.conf" -exec sed -i '' 's/5000/5001/g' {} +

That will replace all the instances of 5000 to 5001 - but ensure first you don’t have any other values that NEED to be 5000. See what Markus’ command comes back with to ensure you’re not going to mess other settings up first.

[mhalife]

Same issue here too !! I want to deploy the same certificate to two Synology systems. I've tried all; remove and delete all directories and the reinstall the plugin. Recreate a new account, challenge, automation and certificate ! Tried to modify the config file in " /var/etc/acme-client/cert-home/" but no chance.

[JoTec2002]

I found a possible root cause of error but would need some help setting up a viable dev environment to test it out.

In the File https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php#L141 is a function to clean up the conf files based on the deploy hook name.

// acme.sh records the last used deploy hook and would automatically
// use it on the next run. This information must be removed from the
// configuration file. Otherwise it would be impossible to disable
// or remove a deploy hook from the GUI.
foreach (glob(self::ACME_HOME_DIR . '/*/*.conf') as $filename) {
    // Skip openssl config files.
    if (preg_match('/.*.csr.conf/i', $filename)) {
        continue;
    }

    // Read contents from file.
    $contents = file_get_contents($filename);

    // Check if deploy hook string can be found.
    if (strpos($contents, self::ACME_DEPLOY_HOOK_STRING) !== false) {
        // Replace the whole line with an empty string.
        $contents = preg_replace('(' . self::ACME_DEPLOY_HOOK_STRING . '.*)', '', $contents);

        // Write changes to the file.
        if (!file_put_contents($filename, $contents)) {
            LeUtils::log_error('clearing recorded deploy hook from acme.sh failed (' . $filename . ')');
        } else {
            LeUtils::log_debug('cleared recorded deploy deploy hook from acme.sh (' . $filename . ')', $this->debug);
        }
    }
}

The Synology Deploy Hook name is synology_dsm but the variables are SYNO_xxxxx so their not getting cleaned up properly. In the Logs this would possibly explain the line Domain config new key exists, old key SYNO_Certificate='OPNsense ACME' has been removed.