FreeNAS 11.2, No-IP, & Let's Encrypt confusion

Status
Not open for further replies.

Monkey_Demon

Explorer
Joined
Nov 11, 2016
Messages
85
Several years ago I purchased a Netgear ReadyNAS as a home server, largely to host Plex. A few years later Netgear came out with a new model and abandoned my version, so it no longer could run newer versions of Plex. Soon it was useless as a Plex server, and I was faced with the choice of buying a newer ReadyNAS and junking an otherwise perfectly good device that was only about 2 1/2 years old or doing something completely different. It was then that I decided to avoid manufacturers' planned obsolescence taxes by switching to a DIY NAS and relying as much as possible on FOSS components, like FreeNAS (FN).

Which brings me to today's question.

I'm trying to set up my server with https access to Plex (Plex Pass media server, actually), WebDAV storage, and a few other goodies. Because of some issues I was having with installing Plex in a warden jail, I decided to make the switch to 11.2 Beta2, and so far have been very happy with it. The most serious problem is not serious at all: some things have been moved around, so finding them requires relearning the GUI.

Also, for years I've been using free domain names from No-IP ddns, and I'm very happy with it. My Linksys router supports ddns only from No-IP.com and Dyn.com, and I'd probably have to change the firmware from stock to something like DD-WRT to handle others. This is not on my agenda right now because I already have my hands full getting FN running the way I want.

Finally, in keeping with my new-found religion, I want to use Let's Encrypt (LE), the free Certificate Authority, for my SSL certificates.

But, never having worked before with SSL certificates and the like and a FN newbie, I feel like Alice in Rube-Goldberg land trying to fit the different pieces together, and I'm writing here hoping someone more experienced and smarter can help.

I have so many questions. I've found some guides for parts of the puzzle. This thread discusses using LE as a CA for No-IP, but it seems inconclusive and doesn't address FN. There are also many guides on how to use LE with FN. Some, like this one, by airflow, put a certificate issuance client in a jail and set up cron to update the certificate regularly. But besides presuming knowledge beyond my current pay grade (e.g., what's a "ports tree," and how does one upgrade it?), other posts, like this one by stitch, claim to supersede airflow's. Then there are plugin-specific guides like this one from b4bblefish, which seem to install the issuance clients in the same jails as the individual plugins. How can I find a guide that's most current, does sufficient hand-holding, and is most appropriate for my purposes?

And how do these jailed certificate renewals relate to FN's built-in CA & certificate capabilities? (Currently documented in Sections 6.12 and 6.13 of the FN 11.2-BETA2 User Guide.)

And exactly how does this all work? If the NAS itself has 1 to 4 IP addresses (one per LAN port), and each jail containing an app also has its own IP address, will a single issuance client like Acme get one certificate that all the IP addresses will share, does it get multiple certificates (1 per IP address), or does one need to set up a separate issuance client for each certificate? And suppose instead of appending a port number to a FQDN to distinguish one from another, someday the more intuitively obvious solution of pre-pending a subdomain (e.g. plex.mynas.ddns.net, webdav-share1.mynas.ddns.net, etc.) became common: would each FQDN need its own certificate then? Or, because some pre-pended names really map to specific ports on a common IP address while others use jail-specific static IP addresses on the local network, would a single certificate be shared by the external ISP-provided DHCP IP address, would all ports connected to a single local static IP address share a single certificate associated with the IP address, would each local IP address require its own certificate, or what? In other words, does the certificate link to the domain name, the IP address, or the IP address/port combination?

Obviously I'm lost here. Can you help me find my way through this maze? Please!!!
 
Last edited:

Monkey_Demon

Explorer
Joined
Nov 11, 2016
Messages
85
Not yet. I posted something similar on the Let's Encrypt board and received a few promising answers. I haven't had the chance to try them yet.

Thanks for asking.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
As you were already told on the Let's Encrypt forums, you don't need to create a certificate for Plex, as it generates its own certificate.
In other words, does the certificate link to the domain name, the IP address, or the IP address/port combination?
The domain name--more precisely, the FQDN. If you have a certificate for mynas.ddns.net, and only that name, it will not also be valid for webdav.mynas.ddns.net. You can address that by either getting separate certs for each service you want to use TLS; by getting a wildcard cert (that would cover *.mynas.ddns.net); or by putting all the FQDNs into a single cert.

IP addresses don't appear in a certificate (well, not a Let's Encrypt cert, anyway; some other CAs do issue certs for IP addresses in some cases). Ports never appear in a cert.
If the NAS itself has 1 to 4 IP addresses (one per LAN port),
If it has multiple IP addresses, they all need to be in different subnets. It would be a very rare home installation that would have a use for more than one NIC.

Edit: And as this thread isn't remotely related to user authentication, it should probably be moved to another forum. @Ericloewe?
 
Status
Not open for further replies.
Top