← Back to index

opnsense_acmeclient_certificate (Resource)

Manage ACME client certificates on OPNsense.

Example Usage

resource "opnsense_acmeclient_account" "example" {
  enabled     = true
  name        = "tf-example-account"
  email       = "admin@example.com"
  ca          = "letsencrypt"
  description = "Terraform test account"
}

resource "opnsense_acmeclient_challenge" "http" {
  enabled                    = true
  name                       = "tf-example-http"
  method                     = "http01"
  http_service               = "opnsense"
  http_opn_autodiscovery     = true
  tlsalpn_acme_autodiscovery = true
}

resource "opnsense_acmeclient_automation" "restart_gui" {
  enabled = true
  name    = "tf-example-automation"
  type    = "configd_restart_gui"
}

resource "opnsense_acmeclient_certificate" "example" {
  enabled              = false
  name                 = "tf-example-cert"
  description          = "Terraform managed certificate"
  account_id           = opnsense_acmeclient_account.example.id
  validation_method_id = opnsense_acmeclient_challenge.http.id
  alt_names            = ["example.com", "www.example.com"]
  restart_actions      = [opnsense_acmeclient_automation.restart_gui.id]
  auto_renewal         = true
  renew_interval       = 30
  key_length           = "key_2048"
}

Schema

Required

  • account_id (String) UUID of the ACME account used for this certificate.
  • name (String) Display name for the certificate.
  • validation_method_id (String) UUID of the validation challenge used for this certificate.

Optional

  • alias_mode (String) Alias mode for generated certificates.
  • alt_names (Set of String) Subject Alternative Names for the certificate.
  • auto_renewal (Boolean) Whether the certificate should auto-renew.
  • challenge_alias (String) Challenge alias applied to the certificate.
  • description (String) Optional description for the certificate.
  • domain_alias (String) Domain alias applied to the certificate.
  • enabled (Boolean) Whether the certificate is enabled.
  • key_length (String) Key length identifier (for example key_2048, ec_p256).
  • ocsp (Boolean) Enable OCSP stapling.
  • renew_interval (Number) Renewal interval in days.
  • restart_actions (Set of String) Services to restart after certificate issuance.

Read-Only

  • certificate_ref_id (String) Reference ID of the generated certificate.
  • id (String) UUID of the certificate.
  • last_update (String) Timestamp of the last certificate update.
  • status_code (String) Last reported status code.
  • status_last_update (String) Timestamp of the last status update.