upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-06-04 22:33:07 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security/acme-client: whitespace and style sweep

Browse source
This commit is contained in:
Franco Fichtner 2017-01-27 08:44:51 +01:00
parent a5c6653e1b
commit 61bed3d8d3
9 changed files with 103 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
View file

@ -93,7 +93,7 @@ class AccountsController extends ApiControllerBase
}
} else {
// generate new node, but don't save to disc
$node = $mdlAcme->accounts->account->add() ;
$node = $mdlAcme->accounts->account->add();
return array("account" => $node->getNodes());
}
return array();

3
security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
View file

@ -94,7 +94,7 @@ class CertificatesController extends ApiControllerBase
}
} else {
// generate new node, but don't save to disc
$node = $mdlAcme->certificates->certificate->add() ;
$node = $mdlAcme->certificates->certificate->add();
return array("certificate" => $node->getNodes());
}
return array();
@ -255,5 +255,4 @@ class CertificatesController extends ApiControllerBase
}
return $result;
}
}

2
security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
View file

@ -62,7 +62,6 @@ class SettingsController extends ApiMutableModelControllerBase
if ((string)$mdlAcme->settings->UpdateCron == "" and
(string)$mdlAcme->settings->autoRenewal == "1" and
(string)$mdlAcme->settings->enabled == "1") {
$mdlCron = new Cron();
// NOTE: Only configd actions are valid commands for cronjobs
// and they *must* provide a description that is not empty.
@ -93,7 +92,6 @@ class SettingsController extends ApiMutableModelControllerBase
} elseif ((string)$mdlAcme->settings->UpdateCron != "" and
((string)$mdlAcme->settings->autoRenewal == "0" or
(string)$mdlAcme->settings->enabled == "0")) {
$cron_uuid = (string)$mdlAcme->settings->UpdateCron;
$mdlAcme->settings->UpdateCron = null;
$mdlCron = new Cron();

2
security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
View file

@ -93,7 +93,7 @@ class ValidationsController extends ApiControllerBase
}
} else {
// generate new node, but don't save to disc
$node = $mdlAcme->validations->validation->add() ;
$node = $mdlAcme->validations->validation->add();
return array("validation" => $node->getNodes());
}
return array();

24
security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/acme.sh
View file

@ -217,7 +217,7 @@ _hasfield() {
fi
done
_debug2 "'$_str' does not contain '$_field'"
return 1 #not contains
return 1 #not contains
}
_getfield() {
@ -634,7 +634,7 @@ _createcsr() {
else
alt="DNS:$domainlist"
fi
#multi
#multi
_info "Multi domain" "$alt"
printf -- "\nsubjectAltName=$alt" >>"$csrconf"
fi
@ -698,7 +698,7 @@ _readSubjectAltNamesFromCSR() {
printf "%s" "$_dnsAltnames" | sed "s/DNS://g"
}
#_csrfile
#_csrfile
_readKeyLengthFromCSR() {
_csrfile="$1"
if [ -z "$_csrfile" ]; then
@ -771,7 +771,7 @@ toPkcs() {
}
#[2048]
#[2048]
createAccountKey() {
_info "Creating account key"
if [ -z "$1" ]; then
@ -2388,7 +2388,7 @@ __get_domain_new_authz() {
}
#webroot, domain domainlist keylength
#webroot, domain domainlist keylength
issue() {
if [ -z "$2" ]; then
_usage "Usage: $PROJECT_ENTRY --issue -d a.com -w /path/to/webroot/a.com/ "
@ -2892,7 +2892,7 @@ issue() {
#if ! _get "$Le_LinkCert" | _base64 "multiline" >> "$CERT_PATH" ; then
# _debug "Get cert failed. Let's try last response."
# printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
# printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
#fi
if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
@ -3993,32 +3993,32 @@ Commands:
--createDomainKey, -cdk Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
--deactivate Deactivate the domain authz, professional use.
Parameters:
--domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
--force, -f Used to force to install or force to renew a cert immediately.
--staging, --test Use staging server, just for test.
--debug Output debug info.
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode.
--tls Use standalone tls mode.
--apache Use apache mode.
--dns [dns_cf|dns_dp|dns_cx|/path/to/api/file] Use dns mode or dns api.
--dnssleep [$DEFAULT_DNS_SLEEP] The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
--keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
--accountkeylength, -ak [2048] Specifies the account key length.
--log [/path/to/logfile] Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
--log-level 1|2 Specifies the log level, default is 1.
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
--certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
--keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
--capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
--fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
--reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
--accountconf Specifies a customized account config file.

151
security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
View file

@ -46,6 +46,7 @@ require_once("util.inc");
use OPNsense\Core\Config;
use OPNsense\Base;
use OPNsense\AcmeClient\AcmeClient;
global $config;
/* CLI arguments:
@ -80,17 +81,17 @@ switch ($options["a"]) {
case 'sign':
//$result = sign_or_renew_cert($options["c"]);
$result = cert_action_validator($options["c"]);
echo json_encode(Array('status'=>$result));
echo json_encode(array('status'=>$result));
break;
case 'renew':
//$result = sign_or_renew_cert($options["c"]);
$result = cert_action_validator($options["c"]);
echo json_encode(Array('status'=>$result));
echo json_encode(array('status'=>$result));
break;
case 'revoke':
//$result = revoke_cert($options["c"]);
$result = cert_action_validator($options["c"]);
echo json_encode(Array('status'=>$result));
echo json_encode(array('status'=>$result));
exit(1);
case 'cleanup':
// TODO: remove certs from filesystem if they cannot be found in config.xml
@ -115,7 +116,6 @@ function cert_action_validator($opt_cert_id)
$configObj = Config::getInstance()->object();
if (isset($configObj->OPNsense->AcmeClient->certificates)) {
foreach ($configObj->OPNsense->AcmeClient->certificates->children() as $certObj) {
// Extract cert ID
$cert_id = (string)$certObj->id;
if (empty($cert_id)) {
@ -124,10 +124,11 @@ function cert_action_validator($opt_cert_id)
// Either work with ALL certificates or check if cert ID matches
if (isset($options["A"]) or ((string)$cert_id == (string)$opt_cert_id)) {
// Ignore disabled certificates
if ($certObj->enabled == 0) {
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1); // Cert is disabled, skip it.
}
@ -136,29 +137,33 @@ function cert_action_validator($opt_cert_id)
$acctObj = null;
$acctref_found = false;
foreach ($modelObj->getNodeByReference('accounts.account')->__items as $node) {
if ((string)$node->getAttributes()["uuid"] == $acctRef ) {
$acctref_found = true;
$acctObj = $node;
break; // Match! Go ahead.
if ((string)$node->getAttributes()["uuid"] == $acctRef) {
$acctref_found = true;
$acctObj = $node;
break; // Match! Go ahead.
}
}
// Make sure we found the configured account
if ( $acctref_found == true ) {
if ($acctref_found == true) {
// Ensure that this account was properly setup and registered.
$acct_result = run_acme_account_registration($acctObj,$certObj,$modelObj);
$acct_result = run_acme_account_registration($acctObj, $certObj, $modelObj);
if (!$acct_result) {
//echo "DEBUG: account registration OK\n";
} else {
//echo "DEBUG: account registration failed\n";
log_error("AcmeClient: account registration failed");
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
} else {
//echo "DEBUG: account not found\n";
log_error("AcmeClient: account not found");
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
@ -167,28 +172,29 @@ function cert_action_validator($opt_cert_id)
$valObj = null;
$ref_found = false;
foreach ($modelObj->getNodeByReference('validations.validation')->__items as $node) {
if ((string)$node->getAttributes()["uuid"] == $valRef ) {
$ref_found = true;
$valObj = $node;
break; // Match! Go ahead.
if ((string)$node->getAttributes()["uuid"] == $valRef) {
$ref_found = true;
$valObj = $node;
break; // Match! Go ahead.
}
}
// Make sure we found the configured validation method
if ($ref_found == true) {
// Was a revocation requested?
// NOTE: Revocation is not even considered when some elements have already been
// deleted from the GUI. It's likely that it would fail anyway.
if ($options["a"] == "revoke") {
// Start acme client to revoke the certificate
$rev_result = revoke_cert($certObj,$valObj,$acctObj);
$rev_result = revoke_cert($certObj, $valObj, $acctObj);
if (!$rev_result) {
return(0); // Success!
} else {
// Revocation failure
log_error("AcmeClient: revocation for certificate failed");
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
}
@ -196,31 +202,38 @@ function cert_action_validator($opt_cert_id)
// Which validation method?
if ((string)$valObj->method == 'http01' or ((string)$valObj->method == 'dns01')) {
// Start acme client to issue or renew certificate
$val_result = run_acme_validation($certObj,$valObj,$acctObj);
$val_result = run_acme_validation($certObj, $valObj, $acctObj);
if (!$val_result) {
// Import certificate to Cert Manager
if (!import_certificate($certObj,$modelObj)) {
if (!import_certificate($certObj, $modelObj)) {
//echo "DEBUG: cert import done\n";
} else {
log_error("AcmeClient: unable to import certificate: " . (string)$certObj->name);
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
} else {
// validation failure
log_error("AcmeClient: validation for certificate failed: " . (string)$certObj->name);
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
} else {
log_error("AcmeClient: invalid validation method specified: " . (string)$valObj->method);
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
} else {
log_error("AcmeClient: validation method not found for cert " . $certObj->name);
if (isset($options["A"])) continue; // skip to next item
if (isset($options["A"])) {
continue; // skip to next item
}
return(1);
}
@ -243,7 +256,7 @@ function eval_optional_acme_args()
global $options;
$configObj = Config::getInstance()->object();
$acme_args = Array();
$acme_args = array();
// Force certificate renewal?
$acme_args[] = isset($options["F"]) ? "--force" : null;
// Use LE staging environment?
@ -255,7 +268,7 @@ function eval_optional_acme_args()
}
// Create account keys and register accounts, export/import them from/to filesystem/config.xml
function run_acme_account_registration($acctObj,$certObj,$modelObj)
function run_acme_account_registration($acctObj, $certObj, $modelObj)
{
global $options;
@ -266,7 +279,7 @@ function run_acme_account_registration($acctObj,$certObj,$modelObj)
$account_conf_dir = "/var/etc/acme-client/accounts/" . $acctObj->id;
$account_conf_file = $account_conf_dir . "/account.conf";
$account_key_file = $account_conf_dir . "/account.key";
$acme_conf = Array();
$acme_conf = array();
$acme_conf[] = "CERT_HOME='/var/etc/acme-client/home'";
$acme_conf[] = "LOG_FILE='/var/log/acme.sh.log'";
$acme_conf[] = "ACCOUNT_KEY_PATH='" . $account_key_file . "'";
@ -278,12 +291,12 @@ function run_acme_account_registration($acctObj,$certObj,$modelObj)
if (!is_dir($account_conf_dir)) {
mkdir($account_conf_dir, 0700, true);
}
file_put_contents($account_conf_file, (string)implode("\n",$acme_conf) . "\n");
file_put_contents($account_conf_file, (string)implode("\n", $acme_conf) . "\n");
chmod($account_conf_file, 0600);
//echo "DEBUG: ${account_conf_file} | ${account_key_file}\n";
// Check if account key already exists
if ( is_file($account_key_file) ) {
if (is_file($account_key_file)) {
//echo "DEBUG: account key found\n";
} else {
// Check if we have an account key in our configuration
@ -374,7 +387,7 @@ function run_acme_account_registration($acctObj,$certObj,$modelObj)
}
// Run acme client with HTTP-01 or DNS-01 validation to issue/renew certificate
function run_acme_validation($certObj,$valObj,$acctObj)
function run_acme_validation($certObj, $valObj, $acctObj)
{
// TODO: add support for other HTTP-01 validation services/methods
@ -395,7 +408,7 @@ function run_acme_validation($certObj,$valObj,$acctObj)
$certdir = "/var/etc/acme-client/certs/${cert_id}";
$keydir = "/var/etc/acme-client/keys/${cert_id}";
$configdir = "/var/etc/acme-client/configs/${cert_id}";
foreach (Array($certdir, $keydir, $configdir) as $dir) {
foreach (array($certdir, $keydir, $configdir) as $dir) {
if (!is_dir($dir)) {
mkdir($dir, 0700, true);
}
@ -403,7 +416,7 @@ function run_acme_validation($certObj,$valObj,$acctObj)
// Preparation to run acme client
$acme_args = eval_optional_acme_args();
$proc_env = Array(); // env variables for proc_open()
$proc_env = array(); // env variables for proc_open()
$proc_env['PATH'] = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin';
$proc_desc = array( // descriptor array for proc_open()
0 => array("pipe", "r"), // stdin
@ -435,7 +448,7 @@ function run_acme_validation($certObj,$valObj,$acctObj)
// Try HTTP-01 or DNS-01 validation?
$val_method = (string)$valObj->method;
$acme_validation = ""; // val.method as argument for acme.sh
$acme_hook_options = Array(); // store addition arguments for acme.sh here
$acme_hook_options = array(); // store addition arguments for acme.sh here
switch ($val_method) {
case 'http01':
$acme_validation = "--webroot /var/etc/acme-client/challenges ";
@ -456,13 +469,13 @@ function run_acme_validation($certObj,$valObj,$acctObj)
//echo "DEBUG: local http challenge port: ${local_http_port}\n";
// Collect all IP addresses here, automatic port forward will be applied for each IP
$iplist = Array();
$iplist = array();
// Add IP addresses from auto-discovery feature
if ($valObj->http_opn_autodiscovery == 1) {
$dnslist = explode(',',$certObj->altNames);
$dnslist = explode(',', $certObj->altNames);
$dnslist[] = $certObj->name;
foreach($dnslist as $fqdn) {
foreach ($dnslist as $fqdn) {
// NOTE: This may take some time.
//echo "DEBUG: resolving ${fqdn}\n";
$ip_found = gethostbyname("${fqdn}.");
@ -476,9 +489,9 @@ function run_acme_validation($certObj,$valObj,$acctObj)
// Add IP addresses from user input
$additional_ip = (string)$valObj->http_opn_ipaddresses;
if (!empty($additional_ip)) {
foreach(explode(',',$additional_ip) as $ip) {
foreach (explode(',', $additional_ip) as $ip) {
//echo "DEBUG: additional IP ${ip}\n";
$iplist[] = $ip;
$iplist[] = $ip;
}
}
@ -497,7 +510,9 @@ function run_acme_validation($certObj,$valObj,$acctObj)
$dedup_iplist = array_unique($iplist);
// Add one rule for every IP
foreach ($dedup_iplist as $ip) {
if ($ip == '.') continue; // skip broken entries
if ($ip == '.') {
continue; // skip broken entries
}
$anchor_rules .= "rdr pass inet proto tcp from any to ${ip} port 80 -> 127.0.0.1 port ${local_http_port}\n";
}
} else {
@ -609,8 +624,8 @@ function run_acme_validation($certObj,$valObj,$acctObj)
// Prepare altNames
$altnames = "";
if (!empty((string)$certObj->altNames)) {
$_altnames = explode(",",(string)$certObj->altNames);
foreach (explode(",",(string)$certObj->altNames) as $altname) {
$_altnames = explode(",", (string)$certObj->altNames);
foreach (explode(",", (string)$certObj->altNames) as $altname) {
$altnames .= "--domain ${altname} ";
}
}
@ -634,7 +649,7 @@ function run_acme_validation($certObj,$valObj,$acctObj)
. "--fullchainpath ${cert_fullchain_filename} "
. implode(" ", $acme_hook_options);
//echo "DEBUG: executing command: " . $acmecmd . "\n";
$proc = proc_open($acmecmd , $proc_desc, $proc_pipes, null, $proc_env);
$proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
// Make sure the resource could be setup properly
if (is_resource($proc)) {
@ -665,7 +680,7 @@ function run_acme_validation($certObj,$valObj,$acctObj)
}
// Revoke a certificate.
function revoke_cert($certObj,$valObj,$acctObj)
function revoke_cert($certObj, $valObj, $acctObj)
{
// NOTE: Revocation will fail if additional domain names were added
// to the certificate after issue/renewal.
@ -700,7 +715,7 @@ function revoke_cert($certObj,$valObj,$acctObj)
return($result);
}
function import_certificate($certObj,$modelObj)
function import_certificate($certObj, $modelObj)
{
global $config;
@ -711,7 +726,7 @@ function import_certificate($certObj,$modelObj)
// Check if certificate files can be found
clearstatcache(); // don't let the cache fool us
foreach (Array($cert_filename, $key_filename, $cert_fullchain_filename) as $file) {
foreach (array($cert_filename, $key_filename, $cert_fullchain_filename) as $file) {
if (is_file($file)) {
// certificate file found
} else {
@ -723,11 +738,11 @@ function import_certificate($certObj,$modelObj)
// Read contents from certificate file
$cert_content = @file_get_contents($cert_filename);
if ($cert_content != false) {
$cert_subject = cert_get_subject($cert_content,false);
$cert_serial = cert_get_serial($cert_content,false);
$cert_cn = local_cert_get_cn($cert_content,false);
$cert_issuer = cert_get_issuer($cert_content,false);
$cert_purpose = cert_get_purpose($cert_content,false);
$cert_subject = cert_get_subject($cert_content, false);
$cert_serial = cert_get_serial($cert_content, false);
$cert_cn = local_cert_get_cn($cert_content, false);
$cert_issuer = cert_get_issuer($cert_content, false);
$cert_purpose = cert_get_purpose($cert_content, false);
//echo "DEBUG: importing cert: subject: ${cert_subject}, serial: ${cert_serial}, issuer: ${cert_issuer} \n";
} else {
log_error("AcmeClient: unable to read certificate content from file");
@ -747,7 +762,7 @@ function import_certificate($certObj,$modelObj)
$configObj = Config::getInstance()->object();
foreach ($configObj->cert as $cfgCert) {
// Check if the IDs matches
if ( (string)$certObj->certRefId == (string)$cfgCert->refid ) {
if ((string)$certObj->certRefId == (string)$cfgCert->refid) {
$cert_found = true;
break;
}
@ -779,7 +794,7 @@ function import_certificate($certObj,$modelObj)
}
// Collect required cert information
$cert_cn = local_cert_get_cn($cert_content,false);
$cert_cn = local_cert_get_cn($cert_content, false);
$cert['descr'] = (string)$cert_cn . ' (Let\'s Encrypt)';
$cert['refid'] = $cert_refid;
@ -790,13 +805,13 @@ function import_certificate($certObj,$modelObj)
if ($cert_found == true) {
// FIXME: Do legacy configs really depend on counters?
$cnt = 0;
foreach($config['cert'] as $crt) {
if ( $crt['refid'] == $cert_refid ) {
//echo "DEBUG: found legacy cert object\n";
$config['cert'][$cnt] = $cert;
break;
}
$cnt++;
foreach ($config['cert'] as $crt) {
if ($crt['refid'] == $cert_refid) {
//echo "DEBUG: found legacy cert object\n";
$config['cert'][$cnt] = $cert;
break;
}
$cnt++;
}
} else {
// Create new certificate item
@ -841,7 +856,7 @@ function local_cert_get_subject_array($str_crt, $decode = true)
$subject_array = array();
foreach($components as $a => $v) {
foreach ($components as $a => $v) {
$subject_array[] = array('a' => $a, 'v' => $v);
}
@ -851,7 +866,7 @@ function local_cert_get_subject_array($str_crt, $decode = true)
// taken from certs.inc
function local_cert_get_cn($crt, $decode = true)
{
$sub = local_cert_get_subject_array($crt,$decode);
$sub = local_cert_get_subject_array($crt, $decode);
if (is_array($sub)) {
foreach ($sub as $s) {
if (strtoupper($s['a']) == "CN") {
@ -862,10 +877,12 @@ function local_cert_get_cn($crt, $decode = true)
return "";
}
function base64url_encode($str) {
function base64url_encode($str)
{
return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
}
function base64url_decode($str) {
function base64url_decode($str)
{
return base64_decode(str_pad(strtr($str, '-_', '+/'), strlen($str) % 4, '=', STR_PAD_RIGHT));
}

2
security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/dnsapi/dns_me.sh
View file

@ -2,7 +2,7 @@
# bug reports to dev@1e.ca
# ME_Key=qmlkdjflmkqdjf
# ME_Key=qmlkdjflmkqdjf
# ME_Secret=qmsdlkqmlksdvnnpae
ME_Api=https://api.dnsmadeeasy.com/V2.0/dns/managed

2
security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/dnsapi/dns_ovh.sh
View file

@ -14,7 +14,7 @@
#'ovh-eu'
OVH_EU='https://eu.api.ovh.com/1.0'
#'ovh-ca':
#'ovh-ca':
OVH_CA='https://ca.api.ovh.com/1.0'
#'kimsufi-eu'

4
security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
View file

@ -42,13 +42,13 @@ message:testing acme_http_challenge configuration
##########################################
[sign-cert]
command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -F -a sign -c
command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -F -a sign -c
parameters:%s
type:script
message:signing or renewing a certificate
[revoke-cert]
command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a revoke -c
command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a revoke -c
parameters:%s
type:script
message:revoking a certificate