It was with some trepidation that
@danb35 accepted the challenge of having a beta tester like me. As the clown troupe pulled into the parking lot and emerged from the impossibly small car, I took it on myself to make lots of mistakes that will hopefully make the script and the process that much more resilient and more foolproof for the rest of you.
Unlike the traditional let’s encrypt process (
see @danb35's original entry and the
jail building script by @Basil Hendroff), this approach does not require a jail. In fact, you don’t want a jail or you won’t be able to replace the proper nginx file. I installed the two scripts in my /root directory using the very easy-to-use git commands documented on @danby35 two github pages to make the certificate and then to deploy it.
Hardware Prerequisites:
For one, the internal CA. There are many options but I chose the
Raspberry-Pi based solution described at smallstep because it allowed me to reuse an older Pi 3 model (no speed records being broken here). In terms of hardware, they recommend a Raspberry Pi with 2GB of RAM, a Yubikey 5 NFC to securely store the certificates, a infinite noise TRNG, and a small backup flash drive. I also recommend using a so-called "high endurance" micro SD drive usually meant for cameras.
Network Setup:
Another good step is assigning your network devices names as well as either static IPs or quasi-static IPs (by having your DHCP server reserve only one IP address to them). I use a mirror pair of raspberry Pis with Pi-Hole to serve as secure DNS servers and a Edgerouter to assign quasi-static IP addresses. Between hosts files and the "local DNS" entries on the Pi-holes, every internal address resolves nicely when I run a nslookup.
Internal CA setup:
Unless you are familiar with all the nomenclature, the setup process, etc. then expect this process to take several hours. You are installing a lot of stuff on a little Pi (which takes time) and you should be very clear about how your internal network is set up. For example, my initial device names used ".home" as a domain, which I later changed to ".internal" since ".internal" is less likely to be sold off and commercialized.
Some minor suggestions/thoughts re: the build process:
- The setup guide at smallstep is amazingly complete but I suggest setting up the PKI and PUK on the Yubikey in advance. To me, the Yubikey application is a lot easier to use than the RPi CLI.
- A password manager is a must. A lot of passwords / hashes / etc. will be thrown at you.
- Once your Internal CA is running a ACME server successfully, I suggest you shut it down, then back up the entire microSD card.
- Consider enabling auto-update (see here)
- Rather than stop all SSH access to the internal CA, consider using passwordless SSH to make said access quite secure yet still easy-to-use.
Using the scripts:
As for
@danb35's script, I really did my best to be a better idiot. I broke it in many creative ways... and then
@danb35 would modify his script accordingly. The recovery readme's in the Github repo are also a testament to the technical support he had to give me to revive my "403- forbidden" locked up TrueNAS UX when my interruptions caused the original nginx backup file to get nuked. So, I didn't manage to brick my NAS, just the UX, which is what the console option 11 is for. That said,
do not interrupt the scripts if stuff isn't working, wait for the script to naturally terminate. Use the -d argument to enable debugging / verbose mode to make trouble-shooting easier.
Of the two scripts, the first one (freenas-nginx-swap) is a bit trickier to set up. If stuff breaks, chances are you may have a misspelling or a bad path. Also, you need to SCP or otherwise transfer the root certificate from your internal CA to your freeNAS. I deposited mine in the freenas-nginx-swap folder.
If your are running TrueNAS, use the API Key tool (see gearset in the top right corner of the GUI) to create a API key to use as a password for step 2, actually deploying the certificate.
This is actually a really good reason to upgrade to TrueNAS if you want to use an internal CA, since the FreeNAS version of the script has to store your root password in plaintext. (!!!)
If both scripts work as intended (and they will only work properly if you generate a new certificate followed by a deployment) then set up a cron job to execute them automatically as needed.
@danb35 suggests running them one after the other by scheduling only one cron job (See Tasks -> Cron) and then using && to run both scripts with one cron job.
If anyone needs help with getting the internal CA to work with Win-ACME, I can now likely give some pointers.
I heartily recommend Win-ACME to anyone who needs a Windows-based ACME client.
Lastly:
A huge thank-you to the folk at Smallstep to document the internal CA build process as much as they did. Similarly, a huge thank you to
@danb35 for putting in all the time and expertise to create these scripts, document their use, and the later modifications to make them more resilient. Additionally, I could not have done it without his kind and timely tech support when I managed to mess something up.