Skip to content

Instantly share code, notes, and snippets.

@Reiner030

Reiner030/acme_show_certificate_orders.sh

Created September 15, 2025 08:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Reiner030/110863ee0e7054902633daa8590caed9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Reiner030/110863ee0e7054902633daa8590caed9 to your computer and use it in GitHub Desktop.
Download ZIP
OPNSense ACME plugin check within /conf/config.xml by listing all certificates with their action tasks
Raw
acme_show_certificate_orders.sh
#!/bin/sh
CFG="/conf/config.xml"
for cuuid in $(xmllint --xpath "//AcmeClient/certificates/certificate/@uuid" "$CFG" \
| sed 's/uuid="/\n/g' | sed 's/"//g' | awk NF); do
csv=$(xmllint --xpath "string(//AcmeClient/certificates/certificate[@uuid='$cuuid']/restartActions)" "$CFG" 2>/dev/null)
[ -z "$csv" ] && continue
echo "Certificate $cuuid:"
OLDIFS=$IFS
IFS=,
for u in $csv; do
u=$(echo "$u" | tr -d '[:space:]')
name=$(xmllint --xpath "normalize-space(//AcmeClient/actions/action[@uuid='$u']/name)" "$CFG" 2>/dev/null)
[ -z "$name" ] && name="<unknown>"
echo " $u ($name)"
done
IFS=$OLDIFS
done
@Reiner030
Copy link
Author

Reiner030 commented Sep 15, 2025

OPNsense ACME Client – Automation Order Helper Scripts

These helper scripts address a bug in the OPNsense ACME client plugin (os-acme-client 4.9 on OPNsense Business 25.4.3) where the GUI does not preserve the order of automations.
On save/re-open, the <restartActions> list in /conf/config.xml may be reordered (often UUID-driven), causing Reload-* actions to run before Copy-/Sent-*.
That can lead to services reloading with old certificates still in place.

The issue is tracked here: opnsense/plugins#4940

Scripts

Each run makes a backup of /conf/config.xml and reloads configd.

Usage

Show current order

/root/acme_show_certificate_orders.sh

Example output:

Certificate d7a1cb5e-dbb6-43f6-b951-908b65d9f54f:
  8ad82a0a-d59f-45e1-801e-451ade9698df  (Copy-Certificate-to-intranet01)
  dd96ff98-b9d3-4a7b-9580-ef6c0b41b5ea  (Reload-Certificate-on-intranet01)
  880b5435-08b2-48cc-bd85-28ddd6e54a6e  (Restart-OPNsense-WebGUI)

Sort order

Dry run (no changes):

/root/sort_acme_restart_actions_posix.sh -n

Apply (writes backup + new order):

/root/sort_acme_restart_actions_posix.sh

Target a single certificate only:

CERT_UUID=<uuid> /root/sort_acme_restart_actions_posix.sh

Automate with cron

Run regularly to correct after GUI edits:

0 * * * * root /root/sort_acme_restart_actions_posix.sh

The script automatically aborts if acme.sh is currently running.

Example Diff

Before:

<restartActions>Reload-...,Copy-...,Restart-...</restartActions>

After:

<restartActions>Copy-...,Sent-...,Reload-...,Restart-...</restartActions>

Notes

  • The GUI may still display a mixed order on edit.
  • Execution order follows the CSV in config.xml, which this script fixes.
  • Both scripts are standalone POSIX sh, no bash required, tested on OPNsense Business 25.4.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment