Let's Encrypt Local Servers and Devices

Let's Encrypt Local Servers and Devices 1.1

Joined
Jan 4, 2014
Messages
1,644
Basil Hendroff submitted a new resource:

Let's Encrypt Local Servers and Devices - A Let's Encrypt toolbox for issuing and renewing certificates for internal servers and devices.

When accessing internal servers and devices, are you tired of seeing warning messages from your browser informing you that 'Your connection is not secure'? Want to set up secure communication for supported systems?

This scripted resource builds a Let's Encrypt toolbox in a jail including acme.sh, an LE client, and an eclectic collection of useful tools for centrally managing LE certificates for a variety of systems. The following systems are currently supported:
  1. FreeNAS/TrueNAS...

Read more about this resource...
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
Wow a lot of work. I'm sorry, what does this script actually do? I was a little confused what this jail actually does. Sorry about the dumb question.
 
Joined
Jan 4, 2014
Messages
1,644
what does this script actually do?

Good question! First a bit of background.
  1. Let's Encrypt (LE) is a non-profit Certificate Authority (CA) that, since about April 2016, has been providing, at no charge, digital certificates needed in order to enable HTTPS (SSL/TLS) for websites. Prior to that time, obtaining a certificate for HTTPS meant spending a fair sum of money through a trusted CA to gain the ability to encrypt traffic for your website. The catch - LE certificates are only valid for 90 days.

  2. The availability of free certificates appears to have emboldened major browser developers in more recent times. Major web browsers - Mozilla Firefox, Microsoft Edge, Apple Safari, Google Chrome - are now providing more aggressive warnings about insecure sites.

  3. There are a whole bunch of resources (such as LE clients and Caddy Server), that make it straightforward to automatically renew LE certificates for publicly available webservers. However, it's quite a different story trying to find resources for issuing LE certificates for internal, non-internet facing servers and devices. @danb35 spearheaded an initiative early in 2018 to deploy LE certs to FreeNAS servers using acme.sh, an LE client, together with deploy_freenas.py, a python script that can write to FreeNAS middleware. Refer to the community resource Let's Encrypt with FreeNAS 11.1 and later for more information. In more recent times, this has been expanded to cover TrueNAS servers as well and includes some you beaut' features like, removing defunct LE certs from servers and enabling centralised cert deployment through the use of a /config switch.
So, armed with this background, the following should now make more sense.

The script creates a jail designed to meet these key objectives:
  1. Facilitate the centralised deployment of LE certificates to several groups of internal systems;
  2. Automate the issue and renewal of certificates for those systems (the script installs an acme.sh server in the jail to handle this).
  3. Best practice is to decouple a jail from its data. The script sets up the structures to store certificates and other data files outside the jail.
From a visual perspective (Mozilla Firefox is used in the examples below. Click an image to zoom in):

Server/Device​
This resource turns this...​
Into this...​
FreeNAS/TrueNAS​
screenshot.902.png
screenshot.907.png
HP iLO​
screenshot.903.png
screenshot.904.png
FRITZ!Box​
screenshot.905.png
screenshot.906.png
 
Last edited:

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
Ok with that explanation I totally get what your jail accomplishes. I wasn't aware that from inside a jail you could install LE certs on the host, I guess I learn something everyday. I can't really complain about the state of things because I contribute zilch to the code, however it honestly struck me as quite odd that FreeNAS possessed a mechanism to obtain/renew LE certs using AWS DNS challenge, however they didn't support any other DNS providers. In fact I thought there entire SSL certificate mechanism implementation was kind of wonky. I really appreciated @danb35's script (I personally continue to use it), however in my humble opinion this LE certificate management capability should be incorporated into the main system. I also use pfSense as my router and their "built-in" ACME client couples really well with their HA-reverse proxy implementation. It's unclear to me why FreeNAS/TrueNAS couldn't incorporate something similarly.

From what I know of the TrueNAS Scale project, I'm aware this project is attempting to support containerization heavily with K8s built in. It would seem somehow they could couple this "containerization idea" with a reverse proxy like traefik, since routing to various containers can be dynamically controlled by the containers themselves and not set a priori within a static reverse proxy configuration file which would require reloading of the reverse proxy configuration file everytime a new backend service was created or destroyed. Traefik is written in GO, similar to Caddy and both automatically handle LE certificate management which is really great. I'm not totally familiar with Caddy since this is the reverse proxy I've used the least, but I don't believe it can do dynamic routing and load balancing to a cluster of containers whose numbers and availability may change.
 
Joined
Jan 4, 2014
Messages
1,644
it honestly struck me as quite odd that FreeNAS possessed a mechanism to obtain/renew LE certs using AWS DNS challenge, however they didn't support any other DNS providers
I agree. It's one of the top 10 voted for requests in JIRA (ticket #NAS-104912). It's garnered a lot of support, but there appears to be next to no movement on it.

Anyway (shameless plug!), this resource, through acme.sh DNS API Integration, extends the number of supported DNS providers to almost 130. In addition, if your DNS Provider is not currently supported, it's possible to roll your own custom API.

screenshot.910.png
 
Last edited:

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
Nice work -- hold crap. That's alot -- no shameless plug there.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
this LE certificate management capability should be incorporated into the main system.
Well, it is, but (as yet) only for one DNS provider--though now that they've rolled out TrueNAS on AWS, I see why they chose that one. They've made a separate ticket (I don't know why), that looks like they might at least add Cloudflare:

There is a bit of a UI problem, though--pretty much every DNS host is going to require different credentials. That means that the form needs to change for every provider, which sounds like a lot of hard-coding. I wouldn't think (not that my opinion means anything) this means it's impossible, just tedious.
 
Joined
Jan 4, 2014
Messages
1,644
If you've set up this resource pre-TrueNAS 12.0-U3, the deploy_freenas portion of it will have to be updated to work with TrueNAS 12.0-U3 and later. From a terminal session, enter the jail iocage console letsencrypt and execute the following commands:
Code:
cd /root
mv deploy-freenas deploy-freenas-old
git clone https://github.com/danb35/deploy-freenas


Reference: Let's Encrypt with FreeNAS 11.1 and later, post #158
 
Last edited:
Joined
Jan 4, 2014
Messages
1,644
Basil Hendroff updated Let's Encrypt Local Servers and Devices with a new update entry:

Python 3.8

Python 3.8 is now the required minimum version.

To upgrade an existing jail, run the following commands within the jail:

Code:
pkg upgrade
pkg install py38-pip py38-requests
pkg remove py37-setuptools python37

# Upgrade to the latest release of deploy-freenas
cd /root && rm -r deploy-freenas && git clone https://github.com/danb35/deploy-freenas

# Upgrade python-hpilo to v4.4.3
pip install python-hpilo

# Upgrade to acme.sh v3.0.1 and set up auto-upgrade
acme.sh --upgrade
acme.sh...

Read the rest of this update entry...
 

GardG

Cadet
Joined
Dec 5, 2020
Messages
9
I've installed this and successfully installed a certificate for the iLO interface on my HPE server, but I can't get it to work for TrueNAS. This is what I get:

Code:
General configuration...

/truenas/truenas.cfg: line 1: API_KEY: command not found
/truenas/truenas.cfg: line 2: HOSTNAME: command not found
/truenas/truenas.cfg: line 3: DOMAIN: command not found
/truenas/truenas.cfg: line 4: DNSAPI: command not found

Input/Config Sanity checks...

Configuration error: HOSTNAME must be set


my truenas.cfg is simple enough …

Code:
API_KEY = "1-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
HOSTNAME = "nas"
DOMAIN = "lan.glod.studio"
DNSAPI = "dns_domeneshop"


I've had a quick peek at the script, but I can't immediately spot any obvious issues.

What's this about?
 

GJSchaller

Contributor
Joined
Feb 10, 2021
Messages
100
Hello, I am attempting Basil's script on my TrueNAS 13.0 system. I was able to install the Jail without issue, but when I run truenas.sh, I get an error. I'll post my config first, then the output it produces:

Code:
# Authentication API_KEY (TrueNAS) or PASSWORD (FreeNAS). To generate an API token, refer to https://www.truenas.com/docs/hub/additional-topics/api/#creating-api-keys.
# PASSWORD = ""
API_KEY="(Redacted)"

# The FreeNAS/TrueNAS FQDN is HOSTNAME.DOMAIN e.g. truenas.mydomain.com
HOSTNAME="truenas"
DOMAIN="aiskon.net"

# Set to 1 for testing. This will use the LE staging server to avoid hitting LE rate limits. Remove or set to 0 (default) to deploy a valid cert.
STAGING = 1

# Set to a valid DNS Provider (default is Cloudflare). More information on supported providers at https://github.com/acmesh-official/acme.sh/wiki/dnsapi.
DNSAPI="dns_namecheap"
setenv NAMECHEAP_USERNAME "GJSchaller"
setenv NAMECHEAP_API_KEY "(Redacted)"
setenv NAMECHEAP_SOURCEIP "https://ifconfig.co/ip"


The error, when running bash ./truenas.sh from within the jail:

Code:
root@letsencrypt:/truenas # bash ./truenas.sh

General configuration...

/truenas/truenas.cfg: line 10: STAGING: command not found
/truenas/truenas.cfg: line 14: setenv: command not found
/truenas/truenas.cfg: line 15: setenv: command not found
/truenas/truenas.cfg: line 16: setenv: command not found

Input/Config Sanity checks...


DNS resolver check...

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Writing TrueNAS/FreeNAS config file...

Generating and importing the certificate...

[Sun Jun 19 20:36:39 EDT 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jun 19 20:36:39 EDT 2022] No EAB credentials found for ZeroSSL, let's get one
[Sun Jun 19 20:36:39 EDT 2022] acme.sh is using ZeroSSL as default CA now.
[Sun Jun 19 20:36:39 EDT 2022] Please update your account with an email addressfirst.
[Sun Jun 19 20:36:39 EDT 2022] acme.sh --register-account -m my@example.com
[Sun Jun 19 20:36:39 EDT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Sun Jun 19 20:36:39 EDT 2022] Please add '--debug' or '--log' to check more details.
[Sun Jun 19 20:36:39 EDT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh


Any help or guidance would be appreciated. I suspect I'm missing something simple, but I'm not sure what!
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
/truenas/truenas.cfg: line 10: STAGING: command not found
This is the same problem I mentioned in the post above yours--remove the spaces (i.e., set STAGING=1, not STAGING = 1). There appears to be an error in the sample config file in this regard; bash won't assign the variable if you have spaces there.
/truenas/truenas.cfg: line 14: setenv: command not found
I'd think you need to replace those lines with, e.g., NAMECHEAP_USERNAME="GJSchaller".
 

GJSchaller

Contributor
Joined
Feb 10, 2021
Messages
100
Thank you - I'd missed that one after getting all the others, there's always one that gets away...

I had to make some other tweaks, here's the working truenas.cfg that worked with Namecheap:

Code:
# Authentication API_KEY (TrueNAS) or PASSWORD (FreeNAS). To generate an API token, refer to https://www.truenas.com/docs/hub/additional-topics/api/#creating-api-keys.
# PASSWORD = ""
API_KEY="Redacted"

# The FreeNAS/TrueNAS FQDN is HOSTNAME.DOMAIN e.g. truenas.mydomain.com
HOSTNAME="truenas"
DOMAIN="aiskon.net"

# Set to 1 for testing. This will use the LE staging server to avoid hitting LE rate limits. Remove or set to 0 (default) to deploy a valid cert.
STAGING=1

# Set to a valid DNS Provider (default is Cloudflare). More information on supported providers at https://github.com/acmesh-official/acme.sh/wiki/dnsapi.
DNSAPI="dns_namecheap"
export NAMECHEAP_USERNAME="GJSchaller"
export NAMECHEAP_API_KEY="Redacted"
export NAMECHEAP_SOURCEIP="https://ifconfig.co/ip"
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458

GJSchaller

Contributor
Joined
Feb 10, 2021
Messages
100
Next challenge - when Staging is set to 1, it works without an issue, and deploys the staging cert to my TrueNAS. When Staging is set to 0, however, I get the following error / output:

Code:
Writing TrueNAS/FreeNAS config file...

Generating and importing the certificate...

[Sun Jun 19 21:26:37 EDT 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jun 19 21:26:38 EDT 2022] No EAB credentials found for ZeroSSL, let's get one
[Sun Jun 19 21:26:38 EDT 2022] acme.sh is using ZeroSSL as default CA now.
[Sun Jun 19 21:26:38 EDT 2022] Please update your account with an email addressfirst.
[Sun Jun 19 21:26:38 EDT 2022] acme.sh --register-account -m my@example.com
[Sun Jun 19 21:26:38 EDT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Sun Jun 19 21:26:38 EDT 2022] Please add '--debug' or '--log' to check more details.
[Sun Jun 19 21:26:38 EDT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
You'll need to set the default CA to Let's Encrypt:
 

GJSchaller

Contributor
Joined
Feb 10, 2021
Messages
100
Once again, thank you! Cert is installed and working now!

Will I need to refresh it manually, or set up a CRON job to do it, or does the jail automatically do that on a scheduled basis?
 
Top