Dynamic DNS + Let's Encrypt on SCALE apps

[Black_Duck]

Thanks @danb35 that was helpful, but sadly, it appears that I can't use DNS API with my DDNS provider (freeDNS) as it won't work with FreeDNS public domains. Using standalone mode is not an option as it requires socat to be installed.
Back to the drawing board.

 

[Black_Duck]

@Black_Duck you might be right, after upgrading I get this error when running certbot


Did you find a workaround?

I found 2 options:
1. As @danb35 suggested, acme.sh. Thanks to his instructions above I managed to install and get acme.sh working. However, it does require that you use a DNS API, and this is not an option for my DDNS provider (freeDNS) for public domains. I did create a new domain name using DYNU provider (which does have DNS API), and it all works well. Note that the acme.sh deployment to truenas does not work. My guess is that it only supports core, not scale.
2. Use certbot in a container. linuxserver/swag is a docker container that sets up an Nginx webserver, but it also has a built-in certbot client that automates certificate generation and renewal processes (only for Let's Encrypt and ZeroSSL). Set it up as a custom app with appropriate environment variables and a dataset on your pool for the config file, and it generates the certificates at startup and renews them as required. The config directory contains the letsencrypt certificates and also the container's crontab. Add 'deploy_freenas.py' to the letsencrypt renewal entry to automate the truenas deployment. The whole thing works within the container - no Truenas cron entries, etc. Running a Nginx server (doing nothing tho) may be overkill, but it works nicely. I can provide more detailed instructions if anyone is interested.

 

[Herman Eggink]

@Black_Duck would you mind elaborating on the docker route? I used to have a cron job calling certbot which, unfortunately, no longer works. It was a simple "certbot renew --config-dir /path_to_certs".

 

[Black_Duck]

Hi @Herman Eggink.
Sure. Here are the instructions for setting certificate renewal using certbot in a container using linuxserver/swag
The instructions below assume that you have a pool (called "pool") with a dataset called "applications" that contains your application datasets.

Pre-Install​

1. Create a dataset to be used by the container. In this example I will be using dataset "/mnt/pool/applications/swag"
2. Optional - To make things easier to edit etc. consider setting up a share to this dataset.
3. Set up Router with a port forward of port 80 to port 10080 on the Truenas server
4. Set up your DDNS account.

Set up Container​

Initial Container Settings​

Within Truenas Apps add a "Custom App"​

Application Settings:​

• Application Name:
  • "Application Name" = "swag" (or what ever other name you wish to call the container)
• Container Images:
  • "Image repository" = "linuxserver/swag"
  • "Image Tag" = latest
• Container Environment Variables:
  • Add "Environment Variable" for Domain Name
    • "Environment Variable Name" = "URL"
    • "Environment Variable Value" = [your DNS Name from you DDNS account]
  • Add "Environment Variable" for Email Address
    • "Environment Variable Name" = "EMAIL"
    • "Environment Variable Value" = [your email address]
• Port Forwarding
  • Add
    • "Container Port" = "80"
    • "Node Port" = "10080"
    • "Protocol" = TCP
• Storage
  • Add "Extra Host Path Volume" (to be used to store the configuration files)
    • "Mount Path in Pod" = "/config"
    • "Host Path" = "/mnt/pool/applications/swag/config" (or whatever you created for your dataset in the pre-install step 1.
• Workload Details
  • Tick `Configure Container User and Group ID`
    • "Run Container As User" = 0 (I know 0 works but you could try 568)
    • "Run Container As Group" =0 (or you could try 568)

The applications settings can now be "saved". Container will automatically start.
Container will immediately generate certificates in: "/mnt/pool/applications/swag/etc/config"
The container will renew the certificates as required - there is a cronjob in the container that check for renewal every day (see below).

Optional - Set up Certificate deployment to Truenas Using `deploy-freenas.sh`​

This is an optional step if you wish to deploy the certificates to Truenas. This allows you to use the certificate for your https login.
This uses @danb35 "deploy-freenas.sh" script.

1. Get API key from Truenas and save it.
2. Download shell script from gihub
   1. SSH into your Truenas server and issue the following commands
      1. "cd /mnt/pool/applications/swag"
      2. "git clone https://github.com/danb35/deploy-freenas"
3. Go to "/mnt/pool/applications/swag/deploy-freenas"
4. Create the configuratuion file by editing "deploy_config.example" and saving it as "deploy_config". Following changes required:
   • api_key = [whatever the API key you saved from step 1 above]
   • cert_fqdn = [your DNS Name from your DDNS account]
   • connect_host = [Truenas IP address - eg 192.168.0.200]
   • privkey_path = /config/etc/letsencrypt/live/[your DNS]/privkey.pem
   • fullchain_path = /config/etc/letsencrypt/live/[your DNS]/fullchain.pem
   • protocol = https://
   • port = 443

To test out the deployment log into the swag container shell and execute the command "/config/deploy-freenas/deploy_freenas.py". This will deploy the certificate created above into TrueNAS.
If all works well then you need to add the command to the application (swag) cronjob.

Go to "/mnt/pool/applications/swag/crontab" and edit the file "root" by changing the last line (renew letsencrypt certs) from:

"8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1"​

to​

"8 14 * * 5 /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1;/config/deploy-freenas/deploy_freenas.py >> /config/log/letsencrypt/letsencrypt.log"​

This changes the execution from daily to weekly and adds the deployment of the certificate the TrueNAS. Results from both actions are appended to the letsencrypt log.
Update: Linuxserver have changed the way they handle cronjobs in their containers. See here. You will need to add the following Container Environment Variable to the Application Settings:

• "Environment Variable Name" = "DOCKER_MODS"
• "Environment Variable Value" = "linuxserver/mods:universal-cron"

Save file and restart the application.

The certificates will be automatically deployed to the TrueNAS server when they update.
That's it. The container will renew the certificates as required and redeploy them to Truenas as well.

Using the certificates within applications​

Add link to the certificates in your application configuration (e.g. Home Assistant). To do this:

• Add "Extra Host Path Volume", with a "Mount Path in Pod" set to "/etc/letsencrypt" and the "Host Path" set to "/mnt/pool/applications/swag/etc/letsencrypt"

If you are using Home Assistant you will also need to update "configuration.yaml" accordingly.

I've been running the above configuration for 2 months now and all works well. Let me know if you run into any issues.

 

[Herman Eggink]

Many thanks @Black_Duck works like a charm although I had to change some things as it generated slightly different certificates from what I had before. ALl good now and much easier.