Well, maybe the title is a bit ambitions, but at least the script below is is an improvement comparing to these two approaches: 1 and 2:
* It validates server-side certificate instead of ignoring them
* Logs out to invalidate the session cookie and wipes the temporary file used to store it
* Does not fetch whole bulk of RRD data
#!/bin/sh -e
user=***
password=***
host=***
cacert=$host-cacert.pem
cfgfile=$host-`date +%Y%m%d%H%M%S`.xml
cookiejar=`mktemp`
## authenticate and save session cookie
wget -q -O /dev/null --keep-session-cookies --save-cookies $cookiejar \
--post-data "login=Login&usernamefld=$user&passwordfld=$password" \
--ca-certificate $cacert https://$host/
## download the config
wget -q --load-cookies $cookiejar \
--post-data 'Submit=download&donotbackuprrd=on' -O $cfgfile \
--ca-certificate $cacert https://$host/diag_backup.php
## logout to invalidate session cookie
wget -q -O /dev/null --load-cookies $cookiejar \
--ca-certificate $cacert https://$host/index.php?logout
## erase session cookie
rm $cookiejar
To use it:
1. Make your firewall use non-default certificate. It is easy to generate a certificate in pfSense with its built-in CA. Make sure CN of the new certificate matches IP/hostname you will use to access the firewall.
2. Make CA certificate in PEM format available to this script ($host-cacert.pem file).
2. Optional: create lower-privileged user for backup retrieval, it only needs access to "Diag/Backup-Restore" page.
3. Set user/password/host parameters.
The script might be improved by adding config encryption. Should be useful because the configs apparenly carry unsalted MD5 password hashes.