Hi
@Herman Eggink.
Sure. Here are the instructions for setting certificate renewal using certbot in a container using
linuxserver/swag
The instructions below assume that you have a pool (called "pool") with a dataset called "applications" that contains your application datasets.
Pre-Install
- Create a dataset to be used by the container. In this example I will be using dataset "/mnt/pool/applications/swag"
- Optional - To make things easier to edit etc. consider setting up a share to this dataset.
- Set up Router with a port forward of port 80 to port 10080 on the Truenas server
- Set up your DDNS account.
Set up Container
Initial Container Settings
Within Truenas Apps add a "Custom App"
Application Settings:
- Application Name:
- "Application Name" = "swag" (or what ever other name you wish to call the container)
- Container Images:
- "Image repository" = "linuxserver/swag"
- "Image Tag" = latest
- Container Environment Variables:
- Add "Environment Variable" for Domain Name
- "Environment Variable Name" = "URL"
- "Environment Variable Value" = [your DNS Name from you DDNS account]
- Add "Environment Variable" for Email Address
- "Environment Variable Name" = "EMAIL"
- "Environment Variable Value" = [your email address]
- Port Forwarding
- Add
- "Container Port" = "80"
- "Node Port" = "10080"
- "Protocol" = TCP
- Storage
- Add "Extra Host Path Volume" (to be used to store the configuration files)
- "Mount Path in Pod" = "/config"
- "Host Path" = "/mnt/pool/applications/swag/config" (or whatever you created for your dataset in the pre-install step 1.
- Workload Details
- Tick `Configure Container User and Group ID`
- "Run Container As User" = 0 (I know 0 works but you could try 568)
- "Run Container As Group" =0 (or you could try 568)
The applications settings can now be "saved". Container will automatically start.
Container will immediately generate certificates in: "/mnt/pool/applications/swag/etc/config"
The container will renew the certificates as required - there is a cronjob in the container that check for renewal every day (see below).
Optional - Set up Certificate deployment to Truenas Using `deploy-freenas.sh`
This is an optional step if you wish to deploy the certificates to Truenas. This allows you to use the certificate for your https login.
This uses
@danb35 "deploy-freenas.sh" script.
- Get API key from Truenas and save it.
- Download shell script from gihub
- SSH into your Truenas server and issue the following commands
- "cd /mnt/pool/applications/swag"
- "git clone https://github.com/danb35/deploy-freenas"
- Go to "/mnt/pool/applications/swag/deploy-freenas"
- Create the configuratuion file by editing "deploy_config.example" and saving it as "deploy_config". Following changes required:
- api_key = [whatever the API key you saved from step 1 above]
- cert_fqdn = [your DNS Name from your DDNS account]
- connect_host = [Truenas IP address - eg 192.168.0.200]
- privkey_path = /config/etc/letsencrypt/live/[your DNS]/privkey.pem
- fullchain_path = /config/etc/letsencrypt/live/[your DNS]/fullchain.pem
- protocol = https://
- port = 443
To test out the deployment log into the
swag container shell and execute the command "/config/deploy-freenas/deploy_freenas.py". This will deploy the certificate created above into TrueNAS.
If all works well then you need to add the command to the
application (swag) cronjob.
Go to "/mnt/pool/applications/swag/crontab" and edit the file "root" by changing the last line (renew letsencrypt certs) from:
"8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1"
to
"8 14 * * 5 /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1;/config/deploy-freenas/deploy_freenas.py >> /config/log/letsencrypt/letsencrypt.log"
This changes the execution from daily to weekly and adds the deployment of the certificate the TrueNAS. Results from both actions are appended to the letsencrypt log.
Update: Linuxserver have changed the way they handle cronjobs in their containers. See here. You will need to add the following Container Environment Variable to the Application Settings:
- "Environment Variable Name" = "DOCKER_MODS"
- "Environment Variable Value" = "linuxserver/mods:universal-cron"
Save file and
restart the application.
The certificates will be automatically deployed to the TrueNAS server when they update.
That's it. The container will renew the certificates as required and redeploy them to Truenas as well.
Using the certificates within applications
Add link to the certificates in your application configuration (e.g. Home Assistant). To do this:
- Add "Extra Host Path Volume", with a "Mount Path in Pod" set to "/etc/letsencrypt" and the "Host Path" set to "/mnt/pool/applications/swag/etc/letsencrypt"
If you are using Home Assistant you will also need to update "configuration.yaml" accordingly.
I've been running the above configuration for 2 months now and all works well. Let me know if you run into any issues.