Skip to content

security/acme-client: add support for ACME profiles #5154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
apritcha1 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

security/acme-client: add support for ACME profiles #5154

apritcha1 wants to merge 2 commits into from

Conversation

@apritcha1
Copy link

@apritcha1 apritcha1 commented Jan 20, 2026

Problem:

Currently, acme-client is unable to issue certificates under any profiles, which enable CAs to issue certificates with characteristics other than their defaults. In my case, this prevents IP address certificates from being issued, as Let's Encrypt only issues these certificates under the "shortlived" profile. Let's Encrypt has supported profiles since around January 2025 in Staging, and since some time between December 2025 and January 2026 in Production.
acme.sh has had support for using profiles for a few months, so the problem is that the acme-client plugin does not expose profile support yet.

Solution:

Add an additional (optional) field to the certificate form to allow the user to input the name of a profile. Note that different CAs may support different profiles, so a text input was chosen rather than a dropdown or similar.
If a profile is specified, add the --cert-profile flag to the acme.sh command, with the chosen profile.
Add logic to use the configured name as the display name for the certificate if it does not contain a common name. This is not strictly required for profile support to work, but avoids certificates appearing as (ACME Client) in the UI if they have no Common Name (CN), such as for IP certs, or certs issued using the new tlsclient profile from LE.

@fraenki
Copy link
Member

fraenki commented Jan 20, 2026

Thanks. How has this been tested?

@fraenki fraenki self-assigned this Jan 20, 2026
@fraenki fraenki added the feature Adding new functionality label Jan 20, 2026
@apritcha1
Copy link
Author

apritcha1 commented Jan 20, 2026

@fraenki I've tested it by directly applying the changes to the impacted files on a live OPNsense system. I may be missing a better way to test it, but that seemed like the easiest way to do it. Certificates are successfully issued from LE using the shortlived profile, and renewal is also working. I also verified that issuing a standard certificate still works correctly.

@fraenki
Copy link
Member

fraenki commented Jan 20, 2026

And Acme Client was able to successfully import your IP certificate into System: Trust: Certificates? Please check 🙂

@apritcha1
Copy link
Author

apritcha1 commented Jan 20, 2026

@fraenki Yes, no problems there. I am actively using said certificate currently.

fraenki
fraenki approved these changes Jan 20, 2026
View reviewed changes
Copy link
Member

@fraenki fraenki left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I'll merge this later for os-acme-client 4.12, when OPNsense 26.1 was released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fraenki fraenki fraenki approved these changes

Assignees

@fraenki fraenki

Labels

feature Adding new functionality

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@apritcha1 @fraenki