When accessing internal servers and devices, are you tired of seeing warning messages from your browser informing you that 'Your connection is not secure'? Want to set up secure communication for supported systems?
This scripted resource builds a Let's Encrypt toolbox in a jail including acme.sh, an LE client, and an eclectic collection of useful tools for centrally managing LE certificates for a variety of systems. The following systems are currently supported:
Objectives
The script creates a jail designed to meet these key objectives:
The requirements for issuing certificates to internal systems are:
Acknowledgements
This scripted resource builds a Let's Encrypt toolbox in a jail including acme.sh, an LE client, and an eclectic collection of useful tools for centrally managing LE certificates for a variety of systems. The following systems are currently supported:
- TrueNAS and FreeNAS servers.
- HP iLO remote server management devices.
- FRITZ!Box residential gateway devices.
Objectives
The script creates a jail designed to meet these key objectives:
- Facilitate the centralised deployment of LE certificates to several groups of internal systems;
- Automate the issue and renewal of certificates for those systems (the script installs an acme.sh server in the jail to handle this).
- Best practice is to decouple a jail from its data. The script sets up the structures to store certificates and other data files outside the jail.
The requirements for issuing certificates to internal systems are:
- You must own or be able to control a public domain name.
- Your internal DNS must be capable of resolving internal host names, based on the public domain name, to matching internal IP addresses. This is commonly referred to as split DNS.
- To be able to issue certificates automatically, your DNS Provider must be one that acme.sh recognises as providing automatic DNS API integration.
Acknowledgements
- If it were not for the ground-breaking efforts of @danb35 to implement a means of deploying LE certificates to FreeNAS, and now TrueNAS, servers (refer to the community resource Let's Encrypt with FreeNAS 11.1 and later), centralised TrueNAS and FreeNAS certificate management for this resource would not be possible.
- Dennis Kaarsemaker for implementing python-hpilo, a python library and command-line tool, for interacting with HP iLO devices.
- Neil Pang for the LE client acme.sh and FRITZ!Box deploy hook.