Let's Encrypt Local Servers and Devices 1.1

[danb35]

The jail should do that automatically. Installing acme.sh should set up a daily cron job to renew any certs that need it. Though you may want to check the system crontab to confirm that.

 

[GJSchaller]

Sure enough, when I ran crontab -e from that jail, the job was there. Thank you again!

 

[Constantin]

Hi guys,
After some work this approach worked amazingly well for me. I am able to pull certificates not only on a individual basis but also wildcard certs.

However, I cannot deploy them on the TrueNAS (13.1u4). I get the following error message that I don't quite know what do with when I use "bash truenas.sh" to run the pull and deploy a certificate script:

root@letsencrypt:~ # /root/.acme.sh/acme.sh --install-cert -d [redacted FQDN] --reloadcmd "/root/deploy-freenas/deploy_freenas.py"
[Thu Mar 16 23:00:35 EDT 2023] The domain '[redacted FQDN]' seems to have a ECC cert already, lets use ecc cert.
[Thu Mar 16 23:00:35 EDT 2023] Run reload cmd: /root/deploy-freenas/deploy_freenas.py
Traceback (most recent call last):
File "/root/deploy-freenas/deploy_freenas.py", line 22, in <module>
import requests
ModuleNotFoundError: No module named 'requests'
[Thu Mar 16 23:00:35 EDT 2023] Reload error for :
root@letsencrypt:~ #

What should I try next?

 

[danb35]

Whatever environment you're running the deploy script in must have the Python requests module available. It's installed by default in TrueNAS itself, but not in a jail. Based on https://github.com/danb35/deploy-freenas/issues/47, it looks like pkg install py38-requests should do the trick.

 

[Constantin]

Because there is a ECC certificate already on hand, the other scripts apparently renamed the directory in question to be "[redacted FQDN]_ecc". Hence, the script fails.

[Fri Mar 17 17:23:38 EDT 2023] Your cert is in: /config/[redacted FQDN]_ecc/[redacted FQDN].cer
[Fri Mar 17 17:23:38 EDT 2023] Your cert key is in: /config/[redacted FQDN]_ecc/[redacted FQDN].key
[Fri Mar 17 17:23:38 EDT 2023] The intermediate CA cert is in: /config/[redacted FQDN]_ecc/ca.cer
[Fri Mar 17 17:23:38 EDT 2023] And the full chain certs is there: /config/[redacted FQDN]_ecc/fullchain.cer
[Fri Mar 17 17:23:38 EDT 2023] Run reload cmd: /root/deploy-freenas/deploy_freenas.py --config /truenas/[redacted FQDN].conf
Traceback (most recent call last):
File "/root/deploy-freenas/deploy_freenas.py", line 84, in <module>
with open(PRIVATEKEY_PATH, 'r') as file:
FileNotFoundError: [Errno 2] No such file or directory: '/config/[redacted FQDN]/[redacted FQDN].key'
[Fri Mar 17 17:23:38 EDT 2023] Reload error for :
root@letsencrypt:/truenas #

I wonder if the deployment script could look for a _ecc instance of the FQDN directory before looking for the other one?

I can set the priv key path to point to the [FQDN]_ecc instance, but long term, a switch would likely be better?

 

[Constantin]

OK, fixed the _ecc reference in the deploy_config file, now ran into a new problem that may be a function of python 3.9 vs. 3.8? Or is connection refused something unrelated to the version python?

root@letsencrypt:~/deploy-freenas # /root/.acme.sh/acme.sh --install-cert -d [readcted FQDN] --reloadcmd "/root/deploy-freenas/deploy_freenas.py"
[Fri Mar 17 18:16:59 EDT 2023] The domain '[readcted FQDN]' seemsto have a ECC cert already, lets use ecc cert.
[Fri Mar 17 18:16:59 EDT 2023] Run reload cmd: /root/deploy-freenas/deploy_freenas.py
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 174, in _new_conn
conn = connection.create_connection(
File "/usr/local/lib/python3.9/site-packages/urllib3/util/connection.py", line 95, in create_connection
raise err
File "/usr/local/lib/python3.9/site-packages/urllib3/util/connection.py", line 85, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 61] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line703, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line398, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 239, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/usr/local/lib/python3.9/http/client.py", line 1285, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1331, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1280, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.9/http/client.py", line 1040, in _send_output
self.send(msg)
File "/usr/local/lib/python3.9/http/client.py", line 980, in send
self.connect()
File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 205, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.9/site-packages/urllib3/connection.py", line 186, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x8026083d0>: Failed to establish a new connection: [Errno 61] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 489,in send
resp = conn.urlopen(
File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line787, in urlopen
retries = retries.increment(
File "/usr/local/lib/python3.9/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='localhost', port=80): Max retries exceeded with url: /api/v2.0/certificate/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x8026083d0>: Failed to establish a new connection: [Errno 61] Connection refused'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/deploy-freenas/deploy_freenas.py", line 93, in <module>
r = session.post(
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 635,in post
return self.request("POST", url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 587,in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 701,in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 565,in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='localhost', port=80): Max retries exceeded with url: /api/v2.0/certificate/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x8026083d0>: Failed to establish a new connection: [Errno 61] Connection refused'))
[Fri Mar 17 18:17:00 EDT 2023] Reload error for :

 

[danb35]

Or is connection refused something unrelated to the version python?

I wouldn't expect it to be related to the python version. You're sure you've entered the right IP or hostname and port in deploy_config?

 

[Constantin]

That's what I hoped too (it's not python), here is my config file. I didn't spec a IP or port.

[deploy]
api_key = [redacted API key]

# Configuration file for deploy_freenas.py

# Choose one of the following authentication methods, "api_key" or "password" (comment out the other one).
# Auth via API keys is highly recommended, but is only available from TrueNAS (Core) 12.0 up.
# You can generate a new API key in the web interface under "Settings" (upper right) > "API Keys".
# api_key = YourNewlyGeneratedAPIKey#@#$*
# If you are on FreeNAS 11 or lower, set this to your FreeNAS root password
# password = YourSuperSecurePassword#@#$*

# Everything below here is optional

# cert_fqdn specifies the FQDN used for your certificate. Default is your system hostname
# cert_fqdn = foo.bar.baz

# connect_host specifies the hostname the script should attempt to connect to, to deploy the cert.
# Default is localhost (assuming the script is running on your FreeNAS box)
# connect_host = baz.bar.foo

# verify sets whether the script will attempt to verify the server's certificate with a HTTPS
# connection. Set to true if you're using a HTTPS connection to a remote host.If connect_host
# is set to localhost (or is unset), set to false. Default is false.
# verify = false

# privkey_path is the path to the certificate private key on your system. Default
# assumes you're using acme.sh:
# /root/.acme.sh/cert_fqdn/cert_fqdn.key
privkey_path = /config/[FQDN]_ecc/[FQDN].key

# fullchain_path is the path to the full chain (leaf cert + intermediate certs)
# on your system. Default assumes you're using acme.sh:
# /root/.acme.sh/cert_fqdn/fullchain.cer
fullchain_path = /config/[FQDN]_ecc/fullchain.cer

# protocol sets the connection protocol, http or https. Include '://' at the end.
# Default is http
# protocol = https://

# port sets the port to use to connect. Default is 80. If protocol is https,
# this MUST be set to your https port.
# port = 443

# set ui_certificate_enabled to false if you want to skip using the new cerificate for the UI. Default is true.
# ui_certificate_enabled = false

# set s3_enabled to true if you have the S3 service enabled on your FreeNAS. Default is false.
# s3_enabled = true

# set ftp_enabled to true if you have the FTP service enabled on your FreeNAS. Default is false.
# ftp_enabled = true

# set webdav_enabled to true if you have the WEBDAV service enabled on your FreeNAS. Default is false.
# webdav_enabled = true

# set apps_enabled to true if you want to update your TrueNAS SCALE chart applications to use the new certificate. Default is false.
# apps_enabled = true

# only update TrueNAS SCALE chart applications where the san of the current andthe new cert matches. Default is false.
#apps_only_matching_san = true

# Certificates will be given a name with a timestamp, by default it will be
# letsencrypt-yyyy-mm-dd-hhmmss. You can change the first part if you like.
# cert_base_name = something_else

 

[danb35]

I didn't spec a IP

If you're running this script in a jail, you need to set connect_host to point to your TrueNAS instance.

 

[Constantin]

Yay! It works! Thank you!!!

 

[KevDog]

I'm write to assume the combination of acme or similar program and danb's script can be run from any type of host that has python 3.8 installed and with the freenas host accessible?

 

[danb35]

Yep.

 

[Constantin]

I’m going explore pulling a cert and deploying to UniFi cloudkey next. But not tonight. A bit lightheaded via Xylene use indoors (repainted both dishwasher racks).

 

[Constantin]

Pihole lighttp now secure too. Ran into a nasty issue with cloudflare / mod open ssl / etc on pihole #2 that took hours to resolve