Let's Encrypt (now with DNS verification)

Status
Not open for further replies.
stitch

stitch

Dabbler
Joined
Jan 7, 2017
Messages
24
Howdy FreeNAS folks!

I'd like to ask if the acme.sh script could be integrated into FreeNAS for simple setup and refreshing of Let's Encrypt certificates?

https://github.com/Neilpang/acme.sh

The script allows you to keep your NAS well away from facing the internet and uses DNS verification to validate that you requested the certificate. It works with a variety of cloud providers DNS APIs out of the box. It would just require slapping a GUI on it and running a CRON job to refresh it every 60 days.

The script supports FreeBSD out of the box.

Cheers!
 
garm

garm

Wizard
Joined
Aug 19, 2017
Messages
1,556
Please create a feature request out of this, would save me a Tuesday evening every 90 days!!
 
tmueko

tmueko

Explorer
Joined
Jun 5, 2012
Messages
82
Why don't you just download it into somewhere on your zpool?

cd /mnt/POOL/DATASTORE/...
git clone https://github.com/Neilpang/acme.sh
./acme.sh/acme.sh -h
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
https://forums.freenas.org/index.php?resources/lets-encrypt-with-freenas-11-1-and-later.82/

Edit: This doesn't, of course, do anything about getting LE support into the FreeNAS GUI, but it does at least address @garm's concern about needing to manually renew every few months.

The problem that I see with including it in the GUI (and I've mentioned this in a few threads now) is one of consistency. Many (most?) DNS hosts don't have a public API at all. Of those that do, only a (relatively) few are supported by acme.sh. Of those, the credentials required are all different--between those three issues, coming up with an implementation that would be broadly applicable, and still easy to use*, seems like it would be tricky. An additional problem is that, in almost all cases, the API credentials are far too powerful; if an attacker were able to compromise them, he'd have full control over your entire domain's DNS (even the ability to steal your domain).

If iX were willing to host their own acme-dns instance, though, that could accomplish something. It would still require one, one-time manual DNS adjustment by the user (set up a CNAME from _acme-challenge.freenas.yourdomain.tld to something like e09eabd6-5ff6-480e-8b60-340484c5f67c.auth.ixsystems.com), and it would expose users to a risk of misissuance (for that FQDN only) if iX were either to be compromised or go rogue, but it would be something that could be standardized in the FreeNAS install, and the infrastructure demands on iX shouldn't be excessive.

* I guess a solution that would cover all the supported DNS hosts, but not be easy to use, would be to just have a text box where the user enters the appropriate credentials in the format acme.sh expects, like:
Code:
CF_Key="fairugrewiervhq4985ghaperv"
CF_Email="me@example.com"
 
Last edited:
S

seedz

Dabbler
Joined
May 2, 2018
Messages
39
Status
Not open for further replies.

Similar threads

stitch
  • Locked
[HOWTO] Automatic Certificate Renewal with Let's Encrypt and DNS Auth
Replies
5
Views
8K
danb35
danb35
D
acme.sh Let's Encrypt Certificates
Replies
0
Views
3K
Deleted member 104047
D
Basil Hendroff
Let's Encrypt Local Servers and Devices
2
Replies
33
Views
7K
Constantin
Constantin
S
Dynamic DNS + Let's Encrypt on SCALE apps
2
Replies
24
Views
11K
Herman Eggink
Herman Eggink
Monkey_Demon
WebDAV, Let's Encrypt TLS/SSL Certificates, and Domain Names
Replies
1
Views
5K
dlavigne
D
Top