Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Let's Encrypt Local Servers and Devices

Let's Encrypt Local Servers and Devices 1.0

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,303
Basil Hendroff submitted a new resource:

Let's Encrypt Local Servers and Devices - A Let's Encrypt toolbox for issuing and renewing certificates for internal servers and devices.

When accessing internal servers and devices, are you tired of seeing warning messages from your browser informing you that 'Your connection is not secure'? Want to set up secure communication for supported systems?

This scripted resource builds a Let's Encrypt toolbox in a jail including acme.sh, an LE client, and an eclectic collection of useful tools for centrally managing LE certificates for a variety of systems. The following systems are currently supported:
  1. FreeNAS/TrueNAS...
Read more about this resource...
 

KevDog

Senior Member
Joined
Nov 26, 2016
Messages
430
Wow a lot of work. I'm sorry, what does this script actually do? I was a little confused what this jail actually does. Sorry about the dumb question.
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,303
what does this script actually do?
Good question! First a bit of background.
  1. Let's Encrypt (LE) is a non-profit Certificate Authority (CA) that, since about April 2016, has been providing, at no charge, digital certificates needed in order to enable HTTPS (SSL/TLS) for websites. Prior to that time, obtaining a certificate for HTTPS meant spending a fair sum of money through a trusted CA to gain the ability to encrypt traffic for your website. The catch - LE certificates are only valid for 90 days.

  2. The availability of free certificates appears to have emboldened major browser developers in more recent times. Major web browsers - Mozilla Firefox, Microsoft Edge, Apple Safari, Google Chrome - are now providing more aggressive warnings about insecure sites.

  3. There are a whole bunch of resources (such as LE clients and Caddy Server), that make it straightforward to automatically renew LE certificates for publicly available webservers. However, it's quite a different story trying to find resources for issuing LE certificates for internal, non-internet facing servers and devices. @danb35 spearheaded an initiative early in 2018 to deploy LE certs to FreeNAS servers using acme.sh, an LE client, together with deploy_freenas.py, a python script that can write to FreeNAS middleware. Refer to the community resource Let's Encrypt with FreeNAS 11.1 and later for more information. In more recent times, this has been expanded to cover TrueNAS servers as well and includes some you beaut' features like, removing defunct LE certs from servers and enabling centralised cert deployment through the use of a /config switch.
So, armed with this background, the following should now make more sense.

The script creates a jail designed to meet these key objectives:
  1. Facilitate the centralised deployment of LE certificates to several groups of internal systems;
  2. Automate the issue and renewal of certificates for those systems (the script installs an acme.sh server in the jail to handle this).
  3. Best practice is to decouple a jail from its data. The script sets up the structures to store certificates and other data files outside the jail.
From a visual perspective (Mozilla Firefox is used in the examples below. Click an image to zoom in):

Server/Device​
This resource turns this...​
Into this...​
FreeNAS/TrueNAS​
screenshot.902.png
screenshot.907.png
HP iLO​
screenshot.903.png
screenshot.904.png
FRITZ!Box​
screenshot.905.png
screenshot.906.png
 
Last edited:

KevDog

Senior Member
Joined
Nov 26, 2016
Messages
430
Ok with that explanation I totally get what your jail accomplishes. I wasn't aware that from inside a jail you could install LE certs on the host, I guess I learn something everyday. I can't really complain about the state of things because I contribute zilch to the code, however it honestly struck me as quite odd that FreeNAS possessed a mechanism to obtain/renew LE certs using AWS DNS challenge, however they didn't support any other DNS providers. In fact I thought there entire SSL certificate mechanism implementation was kind of wonky. I really appreciated @danb35's script (I personally continue to use it), however in my humble opinion this LE certificate management capability should be incorporated into the main system. I also use pfSense as my router and their "built-in" ACME client couples really well with their HA-reverse proxy implementation. It's unclear to me why FreeNAS/TrueNAS couldn't incorporate something similarly.

From what I know of the TrueNAS Scale project, I'm aware this project is attempting to support containerization heavily with K8s built in. It would seem somehow they could couple this "containerization idea" with a reverse proxy like traefik, since routing to various containers can be dynamically controlled by the containers themselves and not set a priori within a static reverse proxy configuration file which would require reloading of the reverse proxy configuration file everytime a new backend service was created or destroyed. Traefik is written in GO, similar to Caddy and both automatically handle LE certificate management which is really great. I'm not totally familiar with Caddy since this is the reverse proxy I've used the least, but I don't believe it can do dynamic routing and load balancing to a cluster of containers whose numbers and availability may change.
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,303
it honestly struck me as quite odd that FreeNAS possessed a mechanism to obtain/renew LE certs using AWS DNS challenge, however they didn't support any other DNS providers
I agree. It's one of the top 10 voted for requests in JIRA (ticket #NAS-104912). It's garnered a lot of support, but there appears to be next to no movement on it.

Anyway (shameless plug!), this resource, through acme.sh DNS API Integration, extends the number of supported DNS providers to almost 130. In addition, if your DNS Provider is not currently supported, it's possible to roll your own custom API.

screenshot.910.png
 
Last edited:

KevDog

Senior Member
Joined
Nov 26, 2016
Messages
430
Nice work -- hold crap. That's alot -- no shameless plug there.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,867
this LE certificate management capability should be incorporated into the main system.
Well, it is, but (as yet) only for one DNS provider--though now that they've rolled out TrueNAS on AWS, I see why they chose that one. They've made a separate ticket (I don't know why), that looks like they might at least add Cloudflare:

There is a bit of a UI problem, though--pretty much every DNS host is going to require different credentials. That means that the form needs to change for every provider, which sounds like a lot of hard-coding. I wouldn't think (not that my opinion means anything) this means it's impossible, just tedious.
 
Top