Okay I just played around and found out that it isn't as easy as described
here if I want to put everything in a jail.
To make everything work I had to install some packages first:
Code:
pkg install wget bash nano python3 py37-pip oath-toolkit ca_root_nss
python3 -m pip install requests
chsh -s /usr/local/bin/bash
echo 'cd ~' >> ~/.bashrc
wget to install acme.sh and your script. (I didn't want to install git for that since it is 300MB+)
bash just for convenience since I'm not familiar with csh
python3 and
py37-pip because python and requests module is required by your script.
oath-toolkit to use 2FA with acme.sh
ca_root_nss to wget via https
I don't know why but acme.sh added
source "/root/.acme.sh/acme.sh.env
to
.zshrc
instead of
.bashrc
even if I set bash as default shell and re-login. So I did had to do that manually.
Then your script returned the following:
Code:
[Mon Apr 20 17:43:16 CEST 2020] Run reload cmd: /root/deploy-freenas-master/deploy_freenas.py
Traceback (most recent call last):
File "/root/deploy-freenas-master/deploy_freenas.py", line 44, in <module>
PASSWORD = deploy.get('password')
File "/usr/local/lib/python3.7/configparser.py", line 1301, in get
fallback=fallback, **kwargs)
File "/usr/local/lib/python3.7/configparser.py", line 799, in get
d)
File "/usr/local/lib/python3.7/configparser.py", line 394, in before_get
self._interpolate_some(parser, option, L, value, section, defaults, 1)
File "/usr/local/lib/python3.7/configparser.py", line 444, in _interpolate_some
"found: %r" % (rest,))
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%'
[Mon Apr 20 17:43:16 CEST 2020] Reload error for :
Probably because I had a lot of special characters in my FreeNAS password.
I changed it to only letters and numbers... but that's a bad solution tbh.
That wasn't the last problem. Then I received the following:
Code:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 677, in urlopen
chunked=chunked,
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 381, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 370, in connect
ssl_context=context,
File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 377, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.7/ssl.py", line 423, in wrap_socket
session=session
File "/usr/local/lib/python3.7/ssl.py", line 870, in _create
self.do_handshake()
File "/usr/local/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 725, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 439, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='nas.local.domain.tld', port=443): Max retries exceeded with url: /api/v1.0/system/certificate/import/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/deploy-freenas-master/deploy_freenas.py", line 73, in <module>
"cert_privatekey": priv_key,
File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 119, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 643, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='nas.local.domain.tld', port=443): Max retries exceeded with url: /api/v1.0/system/certificate/import/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)')))
[Mon Apr 20 17:49:21 CEST 2020] Reload error for :
That was because I've set
verify = true
in
deploy_config
.
But I was still using the default FreeNAS self signed certificate.
I've set that to
false
and then
finally everything worked.
I guess now I can set
verify = true
again for future renewals.
Shouldn't be a problem anymore.
But now I have one last question
@danb35
You wrote that I should set a cronjob for automatic renew in the FreeNAS gui.
But why? acme.sh already installs the following cronjob by default:
Code:
[root@acme ~]# crontab -l
15 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null