how to renew letsencrypt external certificate?

[odoyle]

I'm completely lost on how I am supposed to renew a letsencrypt certificate I setup using this guide:

07 - Adding Lets-Encrypt Certificates | TrueCharts

With TrueNAS SCALE, it's possible to automatically generate certificates for your domain(s) using letsencrypt. However, this process is not very self-explanatory.

truecharts.org

I have the cert, I have the csr, I'm staring at this page in the GUI and don't know what to do..
Also I read some older posts (like 2017) there was a way to have these auto renew?
Any guidance would be appreciated..

 

[danb35]

It should renew automatically--mine does, in any event. And yours has; it renewed on 25 July. Then you issued two more today.

 

[odoyle]

I'm seeing it expires aug 25 and got an email from letsencrypt saying so.. am I reading this wrong? where do you see july 25th? Sorry I have no clue about this stuff..

 

[danb35]

You didn't blank out your domain in all of the places of your screen shot, so I was able to look it up on crt.sh. You'll see there that there was another cert issued on 7/25, which is when renewal should have happened, and then two more on 8/15.

 

[odoyle]

haha, thanks! So I must have renewed it somehow today clicking around.. but why if it renewed in July did I get an email today?

 

[Gti4life]

so the certificate will renew automatically ?

 

[danb35]

That's been my experience.

 

[Gti4life]

great thanks

I was having a hard time figuring out how to update the cert
that's how I found this thread

 

[neofusion]

If you didn't change the renewal timer, TrueNAS will attempt to renew the certificate when 10 days remain until the certificate expires.

The recommended practice is to do so when 30 days remain of a standard 90-day Let's Encrypt certificate and Let's Encrypt therefore emails you a warning 20, 10 and 1 day(s) ahead the impending certificate mayhem.

In other words, if you leave the renew timer at the default value, you will get 1 - 2 email warnings every cycle.

Edit: To clarify, I'm of the opinion that you should be able to trust the UI to offer you sane defaults and that the certificate UI, as it currently exists today, does not do that.

 

[danb35]

If you didn't change the renewal timer, TrueNAS will attempt to renew the certificate when 10 days remain until the certificate expires.

That seems like a poor design decision--is there a place to change it? I didn't see one looking through the SCALE UI.

 

[neofusion]

That seems like a poor design decision--is there a place to change it? I didn't see one looking through the SCALE UI.

The certificate UI leaves ample room for, shall we say... improvement.

Short answer is that you can change the renewal time when you have setup the ACME-DNS Authenticator and created the CSR.
TrueCharts has an excellent video guide I personally used to set it up that explains the entire process; jump to 2:26-ish and the guy opens the part of the UI that, among other things, lets you change the renewal time.

I have previously used the acme.sh (cli) client for cert creation with much success and renewal but was flabbergasted by the cert UI in TrueNAS. The pieces are clearly there which I guess is a bare minimum but nowhere is the process fully laid out. The official documentation also leaves you wanting.

 

[danb35]

flabbergasted by the cert UI in TrueNAS.

Likewise--unless there's some non-obvious reason, needing to manually create a CSR for the sole purpose of requesting a Let's Encrypt cert is just madness, to name just one problem. And at least they now have Cloudflare in the UI (in SCALE, though not yet in CORE), but it still leaves a lot to be desired.

 

[neofusion]

Likewise--unless there's some non-obvious reason, needing to manually create a CSR for the sole purpose of requesting a Let's Encrypt cert is just madness, to name just one problem. And at least they now have Cloudflare in the UI (in SCALE, though not yet in CORE), but it still leaves a lot to be desired.

Indeed, the CSR part had me stumped until I found video detailing the workflow/process from start to finish. Maybe they should just link that video, or make their own, and put that in their documentation?

The basic level implementation and lack of DNS-provider diversity suggests to me that they ran out of time. It's hopefully a stopgap solution until they have time to revise it fully...

 

[danb35]

until they have time to revise it fully...

It's better than it was--when I filed my ticket 2.5 years ago, the only one was Route53--which is still the only thing available in CORE. But that doesn't bode well for ever seeing anything else there.

 

[danb35]

They're set to private by default, but I got around to opening tickets for the two issues mentioned on this thread.
"certificate renew days" should default to 30, not 10:

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.

ixsystems.atlassian.net

Get rid of the CSR step:

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.

ixsystems.atlassian.net

 

[neofusion]

They're set to private by default, but I got around to opening tickets for the two issues mentioned on this thread.
"certificate renew days" should default to 30, not 10:

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.

ixsystems.atlassian.net

I should have posted this here but I also made a ticket about the same thing a couple of months back:

[NAS-117031] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

No replies to it as of yet.

 

[danb35]

I voted for your issue; once they make mine public you can vote for it; maybe some day they'll make the change.

 

[aednichols]

The certificate UI leaves ample room for, shall we say... improvement.

Short answer is that you can change the renewal time when you have setup the ACME-DNS Authenticator and created the CSR.
TrueCharts has an excellent video guide I personally used to set it up that explains the entire process; jump to 2:26-ish and the guy opens the part of the UI that, among other things, lets you change the renewal time.

I have previously used the acme.sh (cli) client for cert creation with much success and renewal but was flabbergasted by the cert UI in TrueNAS. The pieces are clearly there which I guess is a bare minimum but nowhere is the process fully laid out. The official documentation also leaves you wanting.

I registered just to say thank you. I had actually seen that video and even left a comment, but the significance of the renewal field escaped me when I first ran through the flow six months ago. I re-did my cert just now to stop the emails.

Is it excessive to set a 60 day renewal so I get a new cert every 30 days? If something goes wrong, it's easier to debug the sooner I notice it, since last having tinkered with a thing...

 

[danb35]

Is it excessive to set a 60 day renewal so I get a new cert every 30 days?

Kind of, yeah. You aren't likely to violate any rate limits that way, but 30 days should still be ample time to troubleshoot any renewal issues.