revengineer
Contributor
- Joined
- Oct 27, 2019
- Messages
- 193
Great, thank you so much.
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Resource icon
- Thread starter danb35
- Start date
usafmaverick
Cadet
- Joined
- Mar 8, 2022
- Messages
- 2
@danb35, having some issues with the reload cmd. I was following your guide and able to execute the acme.sh script to obtain my LetsEncrypt certs without any issues. When I try to run '.acme.sh/acme.sh --install-cert -d myfqn.tld --reload-cmd "/root/deploy-freenas/deploy_freenas.py" ' I get an error of 401 Unauthorized. I have tried playing with the chmod settings for both the certificates and the deploy_freenas.py script, but nothing seems to get me past it. Any advice?
usafmaverick
Cadet
- Joined
- Mar 8, 2022
- Messages
- 2
Firstly, thank you for the quick reply. Secondly, you were absolutely right. I finally looked at the deploy_config.example file and realized that you dont put the api key for truenas 12 under the password variable. I followed your code block on the instructional and must have glanced over the api_key explanation in the following paragraph. Everything worked as expected as soon as I changed that!
truenassnoob
Cadet
- Joined
- May 8, 2022
- Messages
- 5
I'm having issue with deploying the certificate. It looks like it generated fine, but when I run the last command:
I get the following error:
What am I doing wrong?
Code:
.acme.sh/acme.sh --install-cert -d <my_fqdn> --reloadcmd "/root/deploy-freenas/deploy_freenas.py"
I get the following error:
Code:
FileNotFoundError: [Errno 2] No such file or directory: '/root/.acme.sh/truenas.local/truenas.local.key' Reload error for :
What am I doing wrong?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Your TrueNAS hostname remains set to the default of truenas.local, and the script (as described in deploy_config.example) uses that hostname to ascertain the default cert and key file paths. Set your FQDN in deploy_config and you should be set.
truenassnoob
Cadet
- Joined
- May 8, 2022
- Messages
- 5
This worked perfectly! Thanks!
That helped me too! Thanks
@danb35 I'm using your instructions and script to deploy cert by let's encrypt to my FQDN 123.duckdns.org
I'm on last truenas scale.
It is now displayed on Credentials -> Certificates "SAN: DNS:123.duckdns.org"
If I understand well, I need a wildcard *.123.duckdns.org to be used with traefik/ingress
Can you explain how to do that ?
I'm on last truenas scale.
It is now displayed on Credentials -> Certificates "SAN: DNS:123.duckdns.org"
If I understand well, I need a wildcard *.123.duckdns.org to be used with traefik/ingress
Can you explain how to do that ?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Not necessarily, but if you're going to use individual subdomains within that domain (e.g., radarr.123.duckdns.org, sonarr.123.duckdns.org, etc.) that's the simplest way to go.
Sure, you just put both names on the cert:
-d 123.duckdns.org -d "*.123.duckdns.org".I am trying to install Let's Encrypt certificate on Truenas Core 13. I have a domain registered with google domains and I was able to get the certificate issued using the google domains API key and the ACME DNA API script
But when I try to deploy the certificate using the code:
I get the following output and error:
How can I resolve this issue? @danb35
But when I try to deploy the certificate using the code:
I get the following output and error:
How can I resolve this issue? @danb35
Hi i'm a total noob so excuse me i have read a lot but i have the same need but i am unable to configure all aspect.
I have followed this blog : https://sysadmin102.com/2022/03/let...h-amce-shell-script-amce-sh-on-truenas-scale/ and i have put mysubdomain in hostname and duckdns.org in domain (FQDN mysubdomain.duckdns.org)
Than installed everyhing (chmod +x for deploy_freenas.py) use
export DuckDNS_Token="mytoken"
then acme.sh --insecure --issue --dns dns_duckdns -d mydomain.duckdns.org -d "*.mydomain.duckdns.org" and it loop with
[Fri May 26 23:47:20 CEST 2023] You can use '--dnssleep' to disable public dns checks.
[Fri May 26 23:47:20 CEST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Fri May 26 23:47:20 CEST 2023] Checking mydomain.duckdns.org for _acme-challenge.leinipertini20.duckdns.org
[Fri May 26 23:47:20 CEST 2023] Not valid yet, let's wait 10 seconds and check next one.
[Fri May 26 23:47:32 CEST 2023] Checking mydomain.duckdns.org for _acme-challenge.mydomain.duckdns.org
[Fri May 26 23:47:32 CEST 2023] Already success, continue next one.
[Fri May 26 23:47:32 CEST 2023] Let's wait 10 seconds and check again.
Before when i put mysubbomain (let me say truenas) in hostname and mysubdomain.duckdns.org (FQDN truenas.mysubdomain.duckdns.org) i am able to generate cert
I have find that i can issue then with only one -d but not both ( -d mydomain.duckdns.org -d "*.mydomain.duckdns.org") i have find that folder are differente fron standard because it look for folder truenas (hostname ) and not for folder truenas.mydomain.duckdns.org_ecc that i obtain, but i have solved but now a lot of error arise:
acme.sh --install-cert -d truenas.mydomain.duckdns.org --reloadcmd "~/deploy-freenas/deploy_freenas.py"
[Sat May 27 02:32:16 CEST 2023] Run reload cmd: ~/deploy-freenas/deploy_freenas.py
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 394, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 234, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/usr/lib/python3.9/http/client.py", line 1255, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1301, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1250, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1010, in _send_output
self.send(msg)
File "/usr/lib/python3.9/http/client.py", line 950, in send
self.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 200, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 181, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f490a9ae820>: Failed to establish a new connection: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='localhost', port=80): Max retries exceeded with url: /api/v2.0/certificate/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f490a9ae820>: Failed to establish a new connection: [Errno 111] Connection refused'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/deploy-freenas/deploy_freenas.py", line 93, in <module>
r = session.post(
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 590, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='localhost', port=80): Max retries exceeded with url: /api/v2.0/certificate/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f490a9ae820>: Failed to establish a new connection: [Errno 111] Connection refused'))
[Sat May 27 02:32:16 CEST 2023] Reload error for :
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Wow, so much fail there. Just to name a few at mostly random:
- Cloudflare is completely free for their DNS service, which is all that matters here
- Their domain registrar, irrelevant as it is to the question of obtaining TLS certs, is also among the least expensive out there for TLDs it supports
- The obvious reason to not include every DNS API (much as I would prefer that iX have done so) is that iX would have to code a separate form for the credentials for each of them--every one is different, requires different credentials, and has different environment variables for the credentials it uses
- Despite the title, it doesn't obtain a Let's Encrypt cert (it instead obtains a cert from ZeroSSL)
- Clone my "certificate"? Really?
- Despite contributing nothing to the conversation that isn't already in the docs of the relevant software, its author is shamelessly begging for affiliate clicks and donations
You've set connect_host, port, and/or protocol incorrectly.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
No, it is not expected. Not sure when, how, or why that got lost, but it should be set now.
After a long journey i finally manage to issue and install wildcart cert and change from ZeroSSL to Let's Encrypt cert, for a while all work as expected now truechart declare truenas scale cert as deprecate and setting tls in advanced give me "Error: [EINVAL] values.ingress.main.tls: Item#0 is not valid per list types: [EINVAL] tlsEntry.hosts: Item#0 is not valid per list types: [host] Not a string" .
I have found this topic https://www.truenas.com/community/t...-updates-ingress-is-no-longer-working.110657/ but after a long jouney to make it working with dynamic dns (duckdns) i do not want to change to clusterissuer + traefik because if i have understood correctly you have to own a domain in claudflaredo not use claudflare. Is there a way to make truenas scale cert working with tls setting inside truechets app?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
That sounds like a question for the TrueCharts folks.
Similar threads
- Deleted member 104047
- General Questions and Help
