SSL

Various common certificate operations

Inspect a certificate.

openssl x509 -text -noout -in foo.crt

Inspect a online server certificate.

openssl s_client -connect ca.lair.lan:443

Add/Remove certificate to computers trust store

trust anchor --store internal.root.crt 
trust anchor --remove internal.root.crt

Acme Client

pacman -S acme.sh socat
acme.sh --issue --standalone -d gotify.vps.lair.lan,10.90.1.40 --server https://acme.lair.lan/acme/failpm/directory --ca-bundle /etc/gotify/ssl/failpm.internal.root.crt --fullchain-file /etc/gotify/ssl/fullchain.pem --key-file /etc/gotify/ssl/key.pem
chown gotify:gotify -R /etc/gotify/ssl/

/etc/systemd/system/acme_cert.service

[Unit]
Description=Renew fail.pm internal certificates using acme.sh
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/acme.sh --issue --standalone -d git.vps.lair.lan,10.90.1.10 --server https://acme.lair.lan/acme/failpm/directory --ca-bundle /etc/forgejo/ssl/failpm.internal.root.crt --fullchain-file /etc/forgejo/ssl/fullchain.pem --key-file /etc/forgejo/ssl/key.pem --force
ExecStartPost=/usr/bin/chown forgejo:forgejo -R /etc/forgejo
ExecStartPost=/usr/bin/systemctl restart forgejo.service

/etc/systemd/system/acme_cert.timer

[Unit]
Description=Renew fail.pm internal certificates using acme.sh

[Timer]
Persistent=true
#Run 120 seconds after boot for the first time
OnBootSec=120
#Run every 8 hour thereafter
OnUnitActiveSec=8h
AccuracySec=10m
RandomizedDelaySec=30m

[Install]
WantedBy=timers.target

Acme Server (caddy)

pacman -S caddy

!Be mindful of you dns resolver settings on a OS basis if you want to use internal domains!

Setting up our custom PKI
    pki {
        ca failpm {
            name                  "Fail.pm Inc"
#           root_cn               <name>
#           intermediate_cn       <name>
#           intermediate_lifetime <duration>
            # if using own custom signed cert, e.g. if you already have an internal CA and want to use certs signed by it
#           root {
#               format <format>
#               cert   <path>
#               key    <path>
#           }
#           intermediate {
#               format <format>
#               cert   <path>
#               key    <path>
#           }
        }
    }

ca.lair.lan {
    tls {
        issuer internal {
            ca failpm
        }
    }
    acme_server {
        ca failpm
    }
}
Custom CA FreeBSD
This needs updating, consult current docs

In order to be able to use the internal CA we have to add the certificate to the trust store. It would be nice to be able to do this properly in OPNSense cert manager.

  1. Copy certificate to /usr/local/etc/ssl/certs (create if necessary).
  2. Run certctl rehash - it will put it in all the places necessary and update respective databases/links.

Last modified: Sun Apr 6 20:27:08 2025