Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
The script needs to read the cert and key files. By default, it looks in the directory acme.sh would use for the server's hostname, so in most cases the best thing for you to do would be to update the system hostname through the web GUI to match your FQDN. If you don't want to do that, you can set the cert_fqdn parameter in the config file (so the script will determine the paths using the correct FQDN), and/or the privkey_path and fullchain_path parameters (to tell the cert directly where to find the cert and key files). It's all explained on the github page.
 

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
The script needs to read the cert and key files. By default, it looks in the directory acme.sh would use for the server's hostname, so in most cases the best thing for you to do would be to update the system hostname through the web GUI to match your FQDN. If you don't want to do that, you can set the cert_fqdn parameter in the config file (so the script will determine the paths using the correct FQDN), and/or the privkey_path and fullchain_path parameters (to tell the cert directly where to find the cert and key files). It's all explained on the github page.

@danb35

Awesome advice. I believe its actually a lot easier to change the FQDN of the freenas server to match the domain name specified in the certificates. The user may also need to do a DNS-override at the router level to match the Freenas IP address to the with the domain name if the FreeNAS machine is sitting within the LAN.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
Running 11.2u7. Godaddy domain pointed to Cloudfare nameservers. Exported my keys and email. But getting an error using freenas# .acme.sh/acme.sh --issue -d fqdn_of_freenas_box --dns dns_cf --reloadcmd "/mnt/SuperPool/Scripts/deploy-freenas/deploy_freenas.py"

Is it simply that I need to replace "fqdn_of_freenas_box" to my freenas IP in the command above?

Error:
"Error creating new order :: Cannot issue for \"fqdn_of_freenas_box\": Domain name contains an invalid character",

My current deploy config:
Code:
[deploy]
password = mysecretpass

From reading above, and not fully understanding, this issue is perhaps related to me needing to change the deploy config file, or the command line? Does CloudFare settings need to change at all?
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Is it simply that I need to replace "fqdn_of_freenas_box" to my freenas IP in the command above?
No, you need to replace it with the FQDN of your FreeNAS box. If your domain is yourdomain.com, and your FreeNAS box is called freenas, that FQDN would be freenas.yourdomain.com.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
My system is using default configuration of freenas box hostname:domain.

Currently, it's hostname:freenas and domain:local.

My newly purchased domain, from Godaddy, is mynewdomain.com.

Do I need to change anything in global configuration? Like hostname:freenas domain:mynewdomain.com.

Then change "fqdn_of_freenas_box" to "freenas.mynewdomain.com"?
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Do I need to change anything in global configuration? Like hostname:freenas domain:mynewdomain.com.
That would be best.
Then change "fqdn_of_freenas_box" to "freenas.mynewdomain.com"?
Correct. And then do whatever you need to do on your router so that, from your LAN, freenas.mynewdomain.com resolves to your FreeNAS box. On my pfSense router, that would be a DNS host override; how you'd configure that would depend on your router.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
That would be best.

Correct. And then do whatever you need to do on your router so that, from your LAN, freenas.mynewdomain.com resolves to your FreeNAS box. On my pfSense router, that would be a DNS host override; how you'd configure that would depend on your router.
What you explained, does that have a specific term (resolving IP?), so that I can do research on? And assuming you mean point freenas.mynewdomain.com to the reserved IP address I use to access the gui? Not sure I can do that in the Eero router. I am able to reserve IPs, but thinking that's different.

Oh, and what about other network>global settings, like nameserver 1,2,3? Do I need to change those? Currently, nameserver1 is my default gateway. Not sure that's correct though.
 
Last edited:

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
If I change domain name in network>global, will that affect anything else? Like accessing the gui, jails or other?
 
Last edited:

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
Made those changes above. It created domain key, showed me the key path, showed the single domain, and got domain auth token.

But, I still got same error after trying to run, from root, .acme.sh/acme.sh --issue -d freenas@mynas.me --dns dns_cf --reloadcmd "/mnt/SuperPool/Scripts/deploy-freenas/deploy_freenas.py"

Perhaps I need to change something in the config file? I only put the deploy password. I did notice in the config_sample it says the private key is in /cert_fqdn but I don't see that directory under root/.acme.sh.

Error:
Code:
Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error creating new order :: Cannot issue for \"freenas@mynas.me\": Domain name contains an invalid character",
  "status": 400
}
[Sat Jan  4 12:45:28 PST 2020] Please add '--debug' or '--log' to check more details.
[Sat Jan  4 12:45:28 PST 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
 
Last edited:

KevDog

Patron
Joined
Nov 26, 2016
Messages
462
Made those changes above. It created domain key, showed the path, showed single domain, and got domain auth token.

But, I still got same error code after trying to run, from root@freeas .acme.sh/acme.sh --issue -d freenas@mynas.me --dns dns_cf --reloadcmd "/mnt/SuperPool/Scripts/deploy-freenas/deploy_freenas.py"

Perhaps I need to change something in the config file? I only put the deploy password. I did notice in the config_sample it says the private key is in /cert_fqdn but I don't see that directory under root/.acme.sh.

Error:
Code:
Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error creating new order :: Cannot issue for \"freenas@mynas.me\": Domain name contains an invalid character",
  "status": 400
}
[Sat Jan  4 12:45:28 PST 2020] Please add '--debug' or '--log' to check more details.
[Sat Jan  4 12:45:28 PST 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

The error you are getting is because you stated your freenas domain name was freenas@mynas.me when I think it should be in reality freenas.mynas.me.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
Well shit! I missed that. Working now.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
All that’s setup. Now what?

Do I need to update cert settings in freenas gui?

Doesn’t appear to be a way to resolve hostname to freenas box IP.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Do I need to update cert settings in freenas gui?
The deploy script should do that. If you haven't turned on HTTPS for the GUI, you'll need to do that (I'd set it to HTTP+HTTPS at least initially, until you're sure everything is working correctly).
Doesn’t appear to be a way to resolve hostname to freenas box IP.
What's your router? If you can't set it there, you can always do it with the hosts file on your computer, but that's kind of a klunky way to do it.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
What's your router? If you can't set it there, you can always do it with the hosts file on your computer, but that's kind of a klunky way to do it.
Eero router
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
In my router, I can see “freenas” which has my IP assigned. I’ve already reserved that IP early on after freenas install.

I don’t see freenas.mynas.me. Not even sure I should.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
Perhaps I've missed another setting in FreeNAS?

I set to http+https, selected letsencrypt cert from the dropdown list, web GUI is the GUI IP (192.168.x.xxx), HTTP port is 80, and https port 443.

FreeNAS hostname is FreeNAS, the domain is mynas.me.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Perhaps I've missed another setting in FreeNAS?
Setting for what? The settings you've posted look good. But they won't do anything to affect name resolution on your network; that will be controlled by whatever is acting as the DNS server for your LAN, which I'd expect to be your router. Unfortunately, I'm only able to find very superficial documentation for the Eero; they don't seem to believe in writing manuals and making them available. If the Eero doesn't have any way to do a DNS host override, it's a pretty lame device, but maybe it's a reason to look at setting up Pi-hole--which will give you network-wide ad blocking in the bargain.
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
@danb35 Thanks, I'm looking at getting a pfSense router now.
 
Joined
Jan 4, 2014
Messages
1,644
@danb35 Having had considerable success with several resources you've prepared namely Scripted Plex installation, Reverse Proxy using Caddy (with optional automatic TLS) and Scripted installation of Nextcloud 18 in iocage jail 2018-03-23, I thought I would turn my attention to this resource to see what it offered as I found the other resources so useful.

As I was was working my way through Let's Encrypt with FreeNAS 11.1 and later 0.3, I began to ask myself the question 'Why hasn't dan35b suggested using Caddy to achieve the same thing even more simply?' Pretty much all that's required is an entry in the Caddyfile similar to the following:


Code:
host.mydomain.com {
  tls {
        dns cloudflare
  }
  gzip
  proxy / 192.168.1.5/ {
    transparent
  }
}


Then it dawned on me that, functionally, the main difference between this and the Caddy resource is that the latter requires a permanent CNAME entry for the host whereas this does not.

Am I therefore correct in saying that:
  1. This resource is preferred for FreeNAS servers as it encrypts host communication on the local network, but does not expose the server to the internet. Caddy, on the other hand, would expose the server to the internet, making the server vulnerable; and
  2. I might use this resource to encrypt communication for jails that I do not want exposed to the internet. On the other hand, I would use Caddy if I wanted the jail resource (e.g. Nextcloud) accessible externally?
 
Last edited:
Top