Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Let's Encrypt/Certbot support for HTTPS?

Status
Not open for further replies.

Michał Fita

Neophyte
Joined
May 19, 2016
Messages
7
Would it be possible to add support for Let's Encrypt automated HTTPS certification system and its tool Certbot? I'd like to have HTTPS for the web interface with some trustworthy root certificate behind what would free me from security errors in the browsers.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Possible? Maybe. If you really want to add this feature I'd recommend you file a feature request with bugs.freenas.org. ;)
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,734
Note that the only way this could work with certbot would be for the FreeNAS box to be directly exposed to the Internet. Not a good idea for many reasons.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
Technically you just need a domain name that resolves to a server somewhere that you control and is available on the internet. Once you have the certs generated, you can use them anywhere you like. If you have a domain name already that points to your public IP, you can fire up a Linux distro in a VM and run the script to generate the certs.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,734
OK, let me be a bit more precise. The only way that certbot, running on the FreeNAS box, could automatically obtain a cert without significant manual configuration would be for the FreeNAS box to be directly exposed to the Internet--or at least for port 80 on the FreeNAS box to be directly exposed. There are plenty of ways that a user can obtain an LE cert for a FreeNAS box, but certbot running on the box itself isn't going to be a good one without additional manual, site-specific configuration. Best option is probably one of the alternate clients that supports the DNS challenge, like letsencrypt.sh or acme.sh, and a DNS provider that has an API you can use to automate updates to your DNS records.

One thing that would really help, though, would be an ability to add/change the TLS cert through the API.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
I was alluding to the fact that it can be done now as is. If I wanted to use my FreeNAS box for this, I would fire up a jail, mount the storage to save my certs to, and run it in a jail.

[emoji14]
 

kaipee

Member
Joined
Dec 20, 2014
Messages
26
Couldn't we just spin up a jail > set up Letsencrypt in the jail > map port 80 to the IP:port of the jail ?
Then save the certs and use them in all of the other 'live' jails and delete the temporary jail?

(I only need the SSL cert for remote access of certain plugins, etc. - not the FreeNAS WebGUI which I access over SSH Tunnel)
 

zoomzoom

Neophyte Sage
Joined
Sep 6, 2015
Messages
671
Would it be possible to add support for Let's Encrypt automated HTTPS certification system and its tool Certbot? I'd like to have HTTPS for the web interface with some trustworthy root certificate behind what would free me from security errors in the browsers.
If you're the only one who's going to be access it, why not create your own CA and cert, then install the CA into the trusted certificate store?

I have a link to a prebuilt openssl.cnf config in my signature, with all commands you'll need at the bottom of the file (starting at line 330). You'll need to spend 2 or 3 minutes customizing a few parts, such as the alt_freenas section for your server (Establish Subject Alternative Names heading), utilizing the v3_freenas in the command for FreeNAS certificate (it's imperative you do change any of the V3 profiles to contain less options than they currently contain, as I created the config to be security conscious).
 
Status
Not open for further replies.
Top