Monkey_Demon
Explorer
- Joined
- Nov 11, 2016
- Messages
- 85
Several years ago I purchased a Netgear ReadyNAS as a home server, largely to host Plex. A few years later Netgear came out with a new model and abandoned my version, so it no longer could run newer versions of Plex. Soon it was useless as a Plex server, and I was faced with the choice of buying a newer ReadyNAS and junking an otherwise perfectly good device that was only about 2 1/2 years old or doing something completely different. It was then that I decided to avoid manufacturers' planned obsolescence taxes by switching to a DIY NAS and relying as much as possible on FOSS components, like FreeNAS (FN).
Which brings me to today's question.
I'm trying to set up my server with https access to Plex (Plex Pass media server, actually), WebDAV storage, and a few other goodies. Because of some issues I was having with installing Plex in a warden jail, I decided to make the switch to 11.2 Beta2, and so far have been very happy with it. The most serious problem is not serious at all: some things have been moved around, so finding them requires relearning the GUI.
Also, for years I've been using free domain names from No-IP ddns, and I'm very happy with it. My Linksys router supports ddns only from No-IP.com and Dyn.com, and I'd probably have to change the firmware from stock to something like DD-WRT to handle others. This is not on my agenda right now because I already have my hands full getting FN running the way I want.
Finally, in keeping with my new-found religion, I want to use Let's Encrypt (LE), the free Certificate Authority, for my SSL certificates.
But, never having worked before with SSL certificates and the like and a FN newbie, I feel like Alice in Rube-Goldberg land trying to fit the different pieces together, and I'm writing here hoping someone more experienced and smarter can help.
I have so many questions. I've found some guides for parts of the puzzle. This thread discusses using LE as a CA for No-IP, but it seems inconclusive and doesn't address FN. There are also many guides on how to use LE with FN. Some, like this one, by airflow, put a certificate issuance client in a jail and set up cron to update the certificate regularly. But besides presuming knowledge beyond my current pay grade (e.g., what's a "ports tree," and how does one upgrade it?), other posts, like this one by stitch, claim to supersede airflow's. Then there are plugin-specific guides like this one from b4bblefish, which seem to install the issuance clients in the same jails as the individual plugins. How can I find a guide that's most current, does sufficient hand-holding, and is most appropriate for my purposes?
And how do these jailed certificate renewals relate to FN's built-in CA & certificate capabilities? (Currently documented in Sections 6.12 and 6.13 of the FN 11.2-BETA2 User Guide.)
And exactly how does this all work? If the NAS itself has 1 to 4 IP addresses (one per LAN port), and each jail containing an app also has its own IP address, will a single issuance client like Acme get one certificate that all the IP addresses will share, does it get multiple certificates (1 per IP address), or does one need to set up a separate issuance client for each certificate? And suppose instead of appending a port number to a FQDN to distinguish one from another, someday the more intuitively obvious solution of pre-pending a subdomain (e.g. plex.mynas.ddns.net, webdav-share1.mynas.ddns.net, etc.) became common: would each FQDN need its own certificate then? Or, because some pre-pended names really map to specific ports on a common IP address while others use jail-specific static IP addresses on the local network, would a single certificate be shared by the external ISP-provided DHCP IP address, would all ports connected to a single local static IP address share a single certificate associated with the IP address, would each local IP address require its own certificate, or what? In other words, does the certificate link to the domain name, the IP address, or the IP address/port combination?
Obviously I'm lost here. Can you help me find my way through this maze? Please!!!
Which brings me to today's question.
I'm trying to set up my server with https access to Plex (Plex Pass media server, actually), WebDAV storage, and a few other goodies. Because of some issues I was having with installing Plex in a warden jail, I decided to make the switch to 11.2 Beta2, and so far have been very happy with it. The most serious problem is not serious at all: some things have been moved around, so finding them requires relearning the GUI.
Also, for years I've been using free domain names from No-IP ddns, and I'm very happy with it. My Linksys router supports ddns only from No-IP.com and Dyn.com, and I'd probably have to change the firmware from stock to something like DD-WRT to handle others. This is not on my agenda right now because I already have my hands full getting FN running the way I want.
Finally, in keeping with my new-found religion, I want to use Let's Encrypt (LE), the free Certificate Authority, for my SSL certificates.
But, never having worked before with SSL certificates and the like and a FN newbie, I feel like Alice in Rube-Goldberg land trying to fit the different pieces together, and I'm writing here hoping someone more experienced and smarter can help.
I have so many questions. I've found some guides for parts of the puzzle. This thread discusses using LE as a CA for No-IP, but it seems inconclusive and doesn't address FN. There are also many guides on how to use LE with FN. Some, like this one, by airflow, put a certificate issuance client in a jail and set up cron to update the certificate regularly. But besides presuming knowledge beyond my current pay grade (e.g., what's a "ports tree," and how does one upgrade it?), other posts, like this one by stitch, claim to supersede airflow's. Then there are plugin-specific guides like this one from b4bblefish, which seem to install the issuance clients in the same jails as the individual plugins. How can I find a guide that's most current, does sufficient hand-holding, and is most appropriate for my purposes?
And how do these jailed certificate renewals relate to FN's built-in CA & certificate capabilities? (Currently documented in Sections 6.12 and 6.13 of the FN 11.2-BETA2 User Guide.)
And exactly how does this all work? If the NAS itself has 1 to 4 IP addresses (one per LAN port), and each jail containing an app also has its own IP address, will a single issuance client like Acme get one certificate that all the IP addresses will share, does it get multiple certificates (1 per IP address), or does one need to set up a separate issuance client for each certificate? And suppose instead of appending a port number to a FQDN to distinguish one from another, someday the more intuitively obvious solution of pre-pending a subdomain (e.g. plex.mynas.ddns.net, webdav-share1.mynas.ddns.net, etc.) became common: would each FQDN need its own certificate then? Or, because some pre-pended names really map to specific ports on a common IP address while others use jail-specific static IP addresses on the local network, would a single certificate be shared by the external ISP-provided DHCP IP address, would all ports connected to a single local static IP address share a single certificate associated with the IP address, would each local IP address require its own certificate, or what? In other words, does the certificate link to the domain name, the IP address, or the IP address/port combination?
Obviously I'm lost here. Can you help me find my way through this maze? Please!!!
Last edited:
