[Solved] Renew/import certificates via CLI?

[ndl101]

Hi.

TL;DR: How do I automatically renew certificates and import these into ADM Certificate Manager via CLI?

As the Lets Encrypt App currently provided by Asustor only supports http-01 challenge claims which requires ports 80 and 433 to be exposed, which I do not want, and not dns-01 challenge claims when handling certificates, I need to do a few thing manually.
So, I have generated a certificate via Lets Encrypt via dns-01 challenge using a domain provided by Duck DNS and a few shell scripts wrapping ght-acme.sh. This is fine, crt.sh shows the certificate is valid. Importing the certificate manually via ADM Certificate Manager is possible and the ADM Portal uses this well enough when the certificate is set as default.
I am planning on adding a cron job which attempts to renew the certificate once a month and the issue, however, is that I would like to be able to automatically import the renewed certificate into ADM Certificate Manager from the command line.
I have been digging around the system and the forums a little and it seem that:

• certificates handled via ADM Certificate Manager is referenced in /volume0/usr/builtin/etc/certificate/certificate.json and located in /volume0/usr/share/builtin/etc/certificate/ssl/ and perhaps that the default certificate is copied to /volume0/usr/share/builtin/etc/certificate/ (although with wrong permissions set). Lighttpd has symbolic links to the previously mentioned location as well, so I am guessing that I might be right.

  Code: Select all

  $ ls -la /volume0/usr/etc/lighttpd/ | grep ssl
  lrwxrwxrwx    1 root     root            38 Jul 12 22:34 lighttpd.chain -> /usr/builtin/etc/certificate/ssl.chain
  lrwxrwxrwx    1 root     root            36 Jul  6 19:08 lighttpd.pem -> /usr/builtin/etc/certificate/ssl.pem
  

  /usr/builtin is a symbolic link to /volume0/usr/builtin/ as seem below

  Code: Select all

  $ ls -la /usr/builtin
  lrwxrwxrwx    1 root     root            20 Jul 19 19:34 /usr/builtin -> /volume0/usr/builtin/
  

• There is a cron job defined which supposedly attempts to renew the default certificate

  Code: Select all

  $ sudo crontab -l | grep certificate
  0 0 * * * TAG=CERTIFICATE /usr/builtin/bin/certificate update-cert
  

  but I doubt this will work for dns-01 challenge claims as I do not think this is not supported currently. I have tried calling the binary with different arguments, --help/-h/h/help being some of them, without any response so currently I do not know if this could be used but I expect not. This seems to be a binary compiled perhaps from C, so it is not human readable.
• Digging through the libraries and files in /volume0/usr/builtin/webman (the web application used in ADM Portal) is seems that the application is making client side calls to /volume0/usr/builtin/webman/portal/certificate.cgi. What language this is written in I do not know, assuming something like perl or C, but the few human readable parts indicates that Asustor could be using acmesh-official internally.

While all this is well and good, I am am not really any closer to determining how I would go about automatically importing the renewed certificate (nor ensuring almost all services and apps are restarted/reloaded in order to reload the certificate for each of them) except for this:
Remove the Asustor supported Lest Encrypt app. Manually generate a certificate and manually import this into ADM Certificate Manager. Set up my own of certificate renewal scripts via cron which also restarts all services/containers/app etc. as needed. Finally, just live with the fact that I cannot import the renewed certificate into ADM Certificate Manager automatically from CLI. However, this does feel like an ugly hack to me.

At this point I am open for suggestions.

[Nazar78]

I've was also looking at the Asustor's cert manager when I first got the NAS when Lets Encrypt was a part of it not separated. I believe there's no way to do this via CLI. The CGIs are written in C and one has to go all the trouble to snoop around the binaries just to simulate the CGI requests that includes the authentication part. I believe I could break the import/reload hack but felt it's just a waste of time if Asustor eventually changed something internally then I'll have to figure it out again the next firmware update. I end up ditching the cert manager and kept using my previous acme setup which was already set perfectly as I require with email notifications then run it in chroot to automate the dns-01 renewal. And this wasn't the only reason, the Lets Encrypt app doesn't support wildcards that time which I needed not sure now though. I'm running my containers, websites and custom fastcgi apps all behind nginx reverse proxy which is also running in the chroot. So the only service I need to auto reload is nginx upon renewal. An alternative to chroot is to set it up in a container shared among your apps.

[ndl101]

I appreciate your reply.

Yeah, my impression was sort of that this was a dead end as well. I was already having a reverse proxy in mind for other reasons and having to restart just the reverse proxy after certificate renewal is far better than having to restart a whole slew of services/containers etc.
So, did you just leave ADM Certificate Manger empty? And if so, has this caused any issues? Or did you just leave the default certificate and have nginx use one from at different location?

[Nazar78]

I just leave the default cert as it is unused. I do however access the Asustor portal remotely but the vhosts certs installed in the chroot nginx reverse proxy.

[ndl101]

I just leave the default cert as it is unused. I do however access the Asustor portal remotely but the vhosts certs installed in the chroot nginx reverse proxy.

Thank you.

[lordtech]

I was trying to import too the renewed certificate into ADM Certificate Manager from the command line... but so far no good

I found this information that might be useful:

https://github.com/bebo-dot-dev/asustor ... -deploy.sh

cheers

[ndl101]

I was trying to import too the renewed certificate into ADM Certificate Manager from the command line... but so far no good

I found this information that might be useful:

https://github.com/bebo-dot-dev/asustor ... -deploy.sh

I appreciate you sharing this.
I have decided to skip ADM Certificate Manager all together, though, and went with a web application gateway/reverse proxy like set up. In fact I am moving towards using the NAS only as a storage and container platform. The web application gateway/reverse proxy setup is still a work in progress but involves

• a startup script on the NAS killing the ADM related process listening on ports 80 and 443
• a subdomain at duckdns.org, e.g. mysubdomain.duckdns.org, used for dns-01 domain validation while generating a wildcard certificate for this domain (*.mysubdomain.duckdns.org)
• a docker container running a cron job renewing the IP at for the domain at duckdns (mysubdomain.duckdns.org)
• a local DNS server running a in a docker container on the NAS pointing all requests to *.mysubdomain.duckdns.org towards a reverse proxy on nas
• a reverse proxy (nginx in a docker container) listening to ports 80 and 443 which redirects all HTTP requests the to the HTTPS version and then redirects requests for *.mysubdomain.duckdns.org to the relevant application (dockerized portainer, Vaultwarden, Nextcloud etc, e.g. as https:// vaultwarden.mysubdomain.duckdns.org)
• a cron job running in the same docker container as the reverse proxy doing certificate renewal for *.mysubdomain.duckdns.org and triggering nginx reload. The certificate is placed at a volume mapped into the container. Currently looking at Certbot but have looked at other options as well such as dehydrated, ght-acme.sh etc. (Let's encrypt has a decent list of usable clients/libraries available)

All of this is available on my LAN or through a VPN should I need it.

I am doing an attempt to document this I go along but the progress is slow as my time is limited after having returned from vacation to work. The first part can be found here. If one just want a combined, ready to go solution or a solution which is exposed to the internet, I suggest looking into SWAG from linuxserver.io as also mentioned in the "blog post".