Page MenuHomeVyOS Platform

Auto import Lets Encrypt root CA while using pki certificate acme


Hey guys.

Think it would be nice to have the option to auto import the Lets Encrypt root CA since the ACME bot is providing it anyway.

Maybe add a command like: set pki certificate <name> acme import-root-ca
This will at least provide the user with the option to do it without needing to search for the root and intermidate CA's and convert/import them into VyOS.



Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

Personally I thing there should be a difference between setting PKI manually like set pki certificate and set pki ca vs whatever the command is to utilize letsencrypt or acme or whatever they might be called automatically through VyOS (lets say set pki letsencrypt and set pki acme etc).

I think that the set pki certificate should NOT autoimport any CA's while set pki letsencrypt and set pki acme should have that option something along with what you suggested (set pki letsencrypt certificate <certname> import-ca) or that once executed it should question the admin if the CA should be added (default yes) in case import-ca isnt defined on the command line.

Edit: One could of course argue that perhaps the letsencrypt and acme CA's should already be imported natively this way you dont have to add them.

syncer triaged this task as Normal priority.

There is no need for set pki letsencrypt or set pki acme as a PEM wil always be provided and we have a common PEM framework.

The main technical reason is (why it's not imported) that we would need to alter the CLI during a commit - which will introduce a chicken and egg problem. We have few places (e.g. system login) doing this but it's mainly discouraged. As soon as a script alters the CLI we can NOT make use of vyos-configd to run all the CLI scripts.

The most "common" idea and in parallel to normal PEM certificates would be an OP mode command to install the key into the working configuration -> import pki

vyos@vyos:~$ import pki 
Possible completions:
  ca                    Import CA certificate into PKI
  certificate           Import certificate into PKI
  crl                   Import certificate revocation list into PKI
  dh                    Import DH parameters into PKI
  key-pair              Import key pair into PKI
  openvpn               Import OpenVPN keys into PKI