security/acme-client: remove acme.sh cert config, refs opnsense#1380

security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php

@@ -62,6 +62,16 @@ public function updateAction($uuid)
 
     public function delAction($uuid)
     {
+        # Remove the cert from list of certs known to acme.sh.
+        $mdlAcme = new AcmeClient();
+        if ($uuid != null) {
+            $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
+            if ($node != null) {
+                $cert_id = $node->id;
+                $backend = new Backend();
+                $response = $backend->configdRun("acmeclient remove-cert {$cert_id}");
+            }
+        }
         return $this->delBase('certificates.certificate', $uuid);
     }
 

security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php

@@ -86,6 +86,11 @@
         $result = cert_action_validator($options["c"]);
         echo json_encode(array('status'=>$result));
         break;
+    case 'remove':
+        //$result = revoke_cert($options["c"]);
+        $result = cert_action_validator($options["c"]);
+        echo json_encode(array('status'=>$result));
+        exit(1);
     case 'revoke':
         //$result = revoke_cert($options["c"]);
         $result = cert_action_validator($options["c"]);
@@ -179,6 +184,19 @@ function cert_action_validator($opt_cert_id)
                     }
                 }
 
+                // Cert is being removed from the GUI, delete all traces.
+                if ($options["a"] == "remove") {
+                    // Start acme client to remove the certificate
+                    $rev_result = remove_cert($certObj);
+                    if (!$rev_result) {
+                        log_error("AcmeClient: successfully removed acme.sh certificate configuration for " . (string)$certObj->name);
+                        return(0); // Success!
+                    } else {
+                        log_error("AcmeClient: failed to remove acme.sh certificate configuration for " . (string)$certObj->name);
+                        return(1);
+                    }
+                }
+
                 // Make sure we found the configured validation method
                 if ($ref_found == true) {
                     // Was a revocation requested?
@@ -951,6 +969,37 @@ function revoke_cert($certObj, $valObj, $acctObj)
     return($result);
 }
 
+// Remove a cert from list of certs known to acme.sh.
+function remove_cert($certObj)
+{
+    // Prepare optional parameters for acme-client
+    $acme_args = eval_optional_acme_args();
+
+    // Generate certificate filenames
+    $cert_id = (string)$certObj->id;
+
+    // Check if EC certificate is used, if yes add the --ecc parameter to acme client
+    $key_length = (string) $certObj->keyLength;
+    $ecc_param =  " ";
+    if ($key_length == 'key_ec256' || $key_length == 'key_ec384') {
+        $ecc_param =  "--ecc";
+    }
+
+    // Run acme client
+    // NOTE: We "export" certificates to our own directory, so we don't have to deal
+    // with domain names in filesystem, but instead can use the ID of our certObj.
+    $acmecmd = "/usr/local/sbin/acme.sh "
+      . implode(" ", $acme_args) . " "
+      . "--remove "
+      . "--domain " . (string)$certObj->name . " "
+      . "--home /var/etc/acme-client/home "
+      . $ecc_param;
+    $result = mwexec($acmecmd);
+
+    // Simply return acme clients exit code
+    return($result);
+}
+
 function import_certificate($certObj, $modelObj)
 {
     global $config;

security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf

@@ -53,6 +53,12 @@ parameters:%s
 type:script
 message:revoking a certificate
 
+[remove-cert]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a remove -c
+parameters:%s
+type:script
+message:removing a certificate
+
 [sign-all-certs]
 command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a sign -A
 parameters: