Certificate deployment on TrueNAS

[Basil Hendroff]

Let's Encrypt is a certificate authority (CA) that's made free TLS certificates readily available since about April 2016. In more recent times, other CAs such as ZeroSSL have joined the fold to provide free certificates as well. The supplied certificates have a short lifetime, typically three months. They're designed for data encryption across the internet. It's now possible to set up your own internal CA to issue certificates as an alternative to generating self-signed certificates using OpenSSL. These certificates are designed for data encryption within the local network. SmallStep has made this technology freely available. The lifetime of these certificates is even shorter at just one day.

Given the continued rise in interest and popularity of free, short lifetime certificates, iXSystems could be a leader and provide a mechanism to easily deploy such certificates on TrueNAS servers. I'm aware that @danb35 has done some terrific work to address this shortcoming; first using external certificates in his resource Let's Encrypt with FreeNAS 11.1 and later and more recently with internal certificates in his resource TLS certificates from a local certificate authority. What danb35 has implemented are some very clever middleware hacks for both resources.

Moving forward, I really think iXSystems should pick up the reins and provide a streamlined and robust mechanism that will facilitate the automated deployment of short lifetime TLS certificates on TrueNAS servers. What do other forum members think? If there's enough interest, I'll go ahead and submit a suggestion on JIRA.

 

[danb35]

If there's enough interest, I'll go ahead and submit a suggestion on JIRA.

There already is one:

https://jira.ixsystems.com/browse/NAS-110871

 

[danb35]

And fundamentally, they're providing most of what's needed already. They have an API that allows doing what we need to do, and in its most basic form, installing and activating the cert only takes two API calls. My script is rather more complicated than that, partially because it cleans up old certs and partially because it allows installing certs for a number of different services, but it's still all in the API.

The only thing that's really missing is a built-in way to handle HTTP validation--my script to handle that is really kind of an ugly hack. It works (at least for me and for @Constantin), and I think it has enough "seat belts" to not destroy your system, but it'd be much nicer if the built-in nginx.conf handled the /.well-known/acme-challenge path and pointed it to a specific directory (or better yet, as in the request above, to a configurable directory).

 

[Basil Hendroff]

There already is one:

I've added my vote to NAS-110871. I'd encourage anyone else interested in seeing this happen to cast their vote as well.,