A few years ago, I wrote a resource with an accompanying script for obtaining a certificate for your FreeNAS server from Let's Encrypt. The script has worked well for me, with some updates, since then.
More recently, I've come to think that, for LAN resources that will only be used by local clients, a local certificate authority would make more sense. I ran across this site:
smallstep.com
from another post here, and decided to follow the guide, and it works well to set up a local CA with an ACME front-end. But when I wanted to obtain certificates for my TrueNAS systems, I ran into a bit of a problem. I'd obtained certs from Let's Encrypt using DNS validation, which doesn't require any HTTP connection to the server itself. But I wasn't sure how to make that work with my local CA, so I needed to figure out how make HTTP validation work instead.
To get a cert using HTTP validation, the server needs to respond to a request for http://server_name/.well-known/acme-challenge/longcryptotoken with certain contents. But TrueNAS directs this request to the GUI, which means the challenge fails. In discussions with @Constantin and some discussion on another thread, I settled on replacing nginx.conf with a temporary version, whose only purpose is to serve the challenge file. The result was this script:
github.com
This script will back up your existing nginx.conf file, replace it with a temporary config file, and then call acme.sh (which must already be installed) to obtain a certificate. Once the cert is obtained, it will replace the temporary config file with the original one. This script doesn't install your new cert in FreeNAS, though--for that, I'd recommend using my deployment script:
github.com
More recently, I've come to think that, for LAN resources that will only be used by local clients, a local certificate authority would make more sense. I ran across this site:
Build a Tiny Certificate Authority For Your Homelab
Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.
from another post here, and decided to follow the guide, and it works well to set up a local CA with an ACME front-end. But when I wanted to obtain certificates for my TrueNAS systems, I ran into a bit of a problem. I'd obtained certs from Let's Encrypt using DNS validation, which doesn't require any HTTP connection to the server itself. But I wasn't sure how to make that work with my local CA, so I needed to figure out how make HTTP validation work instead.
To get a cert using HTTP validation, the server needs to respond to a request for http://server_name/.well-known/acme-challenge/longcryptotoken with certain contents. But TrueNAS directs this request to the GUI, which means the challenge fails. In discussions with @Constantin and some discussion on another thread, I settled on replacing nginx.conf with a temporary version, whose only purpose is to serve the challenge file. The result was this script:
GitHub - danb35/freenas-nginx-swap: Swap FreeNAS' nginx.conf for a temporary one, to obtain ACME certificates
Swap FreeNAS' nginx.conf for a temporary one, to obtain ACME certificates - danb35/freenas-nginx-swap
github.com
This script will back up your existing nginx.conf file, replace it with a temporary config file, and then call acme.sh (which must already be installed) to obtain a certificate. Once the cert is obtained, it will replace the temporary config file with the original one. This script doesn't install your new cert in FreeNAS, though--for that, I'd recommend using my deployment script:
GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to FreeNAS servers
Python script to automate deploying TLS certificates to FreeNAS servers - danb35/deploy-freenas
github.com
