SOLVED Change default SSL certificates directory

lucacris72 · May 13, 2021

Hi,
I'm trying to change the default directory of the SSL certificates on my TrueNAS-12.0-U3.
I found on the forum several guides that explain how to achive this result. In particular in System->Tunables is necessary to add the variable SSLDIR (type=rc.conf) and specify in the value the new path in wich the certificates are (I created a directory /cert using ssh).
The problem is that after I added this variable and enabled it the path dosen't change.
Any ideas?
Thanks.

danb35 · May 16, 2021

I know this is going to be an annoying response, but why are you trying to do this? If it's a matter of using a different cert for the GUI (or WebDAV, or FTP, or...), the way to go is to import it into the config database. And if you want to do this automatically, well, there isn't an app for that, but there's a script for that:

Let's Encrypt with FreeNAS 11.1 and later

Integrating Let’s Encrypt TLS Certificates with FreeNAS FreeNAS has long had the ability to use HTTPS for the web GUI, but that has usually meant dealing with self-signed certificates and the associated headaches, or paying for a commercial...

www.truenas.com

lucacris72 · May 16, 2021

danb35 said:
I know this is going to be an annoying response, but why are you trying to do this? If it's a matter of using a different cert for the GUI (or WebDAV, or FTP, or...), the way to go is to import it into the config database. And if you want to do this automatically, well, there isn't an app for that, but there's a script for that:

Let's Encrypt with FreeNAS 11.1 and later

Integrating Let’s Encrypt TLS Certificates with FreeNAS FreeNAS has long had the ability to use HTTPS for the web GUI, but that has usually meant dealing with self-signed certificates and the associated headaches, or paying for a commercial...

www.truenas.com

Thanks for the reply. I have to expouse an ftp server to internet (to make it accessible from remote) and I would like to use a certificate signed by Let's Encrypt. I've seen that script in these days and i read the repo documentation. Actually I have not tested it properly but the documentation seems to be a little poor. I setted up a jail in witch I installed Certbot and in wich the script will run. Do you ever used it? I'll try it tomorrow, can I ask you for help if I can't make it work?
Thanks again.

danb35 · May 16, 2021

lucacris72 said:
Do you ever used it?

I wrote it, so it's safe to assume I use it. It's intended to be used with acme.sh, not certbot (which I avoid whenever possible), but as long as you can tell it where to look for the cert files, and as long as your client can run arbitrary commands after cert issuance (which certbot can), you should be fine.

lucacris72 said:
the documentation seems to be a little poor.

I'd be interested in any suggestions (or better yet, PRs) for improvement.

lucacris72 said:
can I ask you for help if I can't make it work?

Best place for that would be in the discussion thread for that resource.

lucacris72 · May 17, 2021

danb35 said:
I wrote it, so it's safe to assume I use it.

I'm a little embarrassed that I didn't notice this earlier, my fault.

danb35 said:
It's intended to be used with acme.sh, not certbot (which I avoid whenever possible)

Why do you discurage the use of certbot (I haven't any pregiudices on it or on acme, I just find certbot easier to use).

danb35 said:
I'd be interested in any suggestions (or better yet, PRs) for improvement.

Sure! When I finish the tests I can write down some points that were not very clear to me.

danb35 · May 17, 2021

lucacris72 said:
Why do you discurage the use of certbot

Biggest issue, IMO, is that there are way too many dependencies. acme.sh is a shell script, and has very few--curl/wget, openssl, a shell of course, and that's about it. But as far as this script is concerned, the only real issue is that by default, it expects the cert files to be where acme.sh puts them--but it's easy enough to change that in the config file.

Something about acme.sh that might be helpful, especially when you're testing with the deploy script, is that its intent is to separate the "issue a cert" function from the "install a cert" function. If your having trouble installing the cert, you don't have to issue a new one each time (thus likely hitting the rate limits). I don't always use it this way (and I should probably update this resource/the README to specify this), but a good way to go with acme.sh would be:

Code:

acme.sh --issue -d truenas.yourdomain.com (options)
acme.sh --install-cert -d truenas.yourdomain.com --reloadcmd "/path/to/deploy_freenas.py"

If there are errors with the deploy script, you can re-run the last command as many times as you want without triggering the rate limits, because it doesn't reissue the cert.

lucacris72 · May 18, 2021

danb35 said:
Something about acme.sh that might be helpful, especially when you're testing with the deploy script, is that its intent is to separate the "issue a cert" function from the "install a cert" function. If your having trouble installing the cert, you don't have to issue a new one each time (thus likely hitting the rate limits). I don't always use it this way (and I should probably update this resource/the README to specify this)

That's a good point.

I followed the guide you wrote and i adapted it to my situation. The script works perfectly and it import the certificate correctly in the database. Thank you so much!

Important Announcement for The TrueNAS Community.

SOLVED Change default SSL certificates directory

lucacris72

Cadet

danb35

Hall of Famer

Let's Encrypt with FreeNAS 11.1 and later

lucacris72

Cadet

Let's Encrypt with FreeNAS 11.1 and later

danb35

Hall of Famer

lucacris72

Cadet

danb35

Hall of Famer

lucacris72

Cadet

Similar threads

Important Announcement for The TrueNAS Community.