Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Joined
Jan 4, 2014
Messages
1,644

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Last edited:
Joined
Jan 4, 2014
Messages
1,644

AnsisMalins

Cadet
Joined
Mar 26, 2018
Messages
8
Hello. I'm failing to understand how acme.sh is supposed to work in a jail. The jail has its own IP addresses, but the DNS record is pointing to the FreeNAS system. Is jury rigging some kind of routing an exercise left to the reader?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Is jury rigging some kind of routing an exercise left to the reader?
Pretty much. This shouldn't really be a big deal, as the FreeNAS system itself shouldn't ever be accessible directly from the Internet. But it's only needed if you're using HTTP validation; if you're using DNS validation you wouldn't need to mess with routing at all.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Hello. I'm failing to understand how acme.sh is supposed to work in a jail. The jail has its own IP addresses, but the DNS record is pointing to the FreeNAS system. Is jury rigging some kind of routing an exercise left to the reader?
I use dehydrated, but the fundamental mechanism is the same.
  • I have $someapplication running in a jail, e.g. Nextcloud
  • I use VNET
  • the jail has got its own IP address
  • of course cloud.my.domain points to the jail
  • I can run dehydrated as intended
Why would you have the DNS record point to the NAS?

If you only have one IP address and want to run multiple applications, each in one jail - which is actually my situation here at home - you need to use an SSL reverse proxy with SNI so all DNS records point to the proxy jail, the proxy jail runs dehydrated/acme.sh and the (surprise!) proxy, and then relays the connection to the application proper. I still use Apache 2.4 and dehydrated for that. @danb35 is using Caddy, if I am not mistaken.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
@danb35 is using Caddy, if I am not mistaken.
I am, for several things, but I think that's kind of orthogonal to the subject of this resource--that's about deploying a cert to the Free/TrueNAS UI itself. If you're putting it behind a proxy, ordinarily that proxy would handle TLS termination, and in that case my script wouldn't be all that relevant.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I must have misjudged what the issue was.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I think I have a fix--it seems to work for me under both -U2.1 and -U3, but I'd like a little bit more testing before I commit it. If you're willing to test it, replace the last section of the script (starting at line 223, where it reloads the UI) with the new content at:

Edit: With a little more testing, it seems to be working across a few versions, so it's committed:

Recommend you update the script by changing to the directory where it lives and running git pull.
 
Last edited:
Joined
Jan 4, 2014
Messages
1,644
One of my CORE servers is complaining that its certificate is about to expire. When I run deploy_freenas.py, it chucks a wobbly.
Code:
[Tue Nov  9 01:57:54 AWST 2021] Run reload cmd: /root/deploy-freenas/deploy_freenas.py --config /truenas/truenas-t.udance.com.au.conf
Traceback (most recent call last):
  File "/root/deploy-freenas/deploy_freenas.py", line 22, in <module>
    import requests
ModuleNotFoundError: No module named 'requests'
[Tue Nov  9 01:57:54 AWST 2021] Reload error for :

I'm running CORE 12.0-U6. I've tried rerunning the script after the following actions, but with no change to the outcome:
  1. Updating to the latest version of deploy_freenas.py
  2. Rolling back to 12.0-U5.1
  3. Upgrading the jail packages (I've been successfully deploying TN certificates using the resource Let's Encrypt Local Servers and Devices).
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
"Chucks a wobbly"? Can't say I've heard that expression before--but its meaning is pretty obvious, I guess. The error indicates that the environment in which you're running the script (i.e., your jail) doesn't have the Python Requests module install. pkg install py38-requests should do the trick, and she'll be right, mate.
 
Joined
Jan 4, 2014
Messages
1,644
"Chucks a wobbly"? Can't say I've heard that expression before--but its meaning is pretty obvious, I guess. The error indicates that the environment in which you're running the script (i.e., your jail) doesn't have the Python Requests module install. pkg install py38-requests should do the trick, and she'll be right, mate.
:smile:
 

joncy92

Explorer
Joined
Dec 5, 2019
Messages
69
Thanks very much for this it worked perfectly!
Is there a way to use Cloudflare's more restricted API Tokens rather than the Global API Key?
 

revengineer

Contributor
Joined
Oct 27, 2019
Messages
193
Thank you for providing this script @danb35. I got this to work relatively quickly after struggling a bit with the python install in the jail and missing requests module. I am left with one question. The auto renewal cron job is given as
Code:
iocage exec <jailname> /root/.acme.sh/acme.sh --cron 
Should I be adding
Code:
--reloadcmd "/path/to/deploy_freenas.py"
to this command line to ensure that the deploy script is run after a certificate update?

Advice appreciated.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456

revengineer

Contributor
Joined
Oct 27, 2019
Messages
193
No, if you used the --reloadcmd option when you issue the cert, acme.sh will remember it.

Excellent, thank you. I may have to re-execute the full command as I did this separately the first time due to initial issues getting the deploy script to run.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I may have to re-execute the full command
No need to re-issue the cert; you can do acme.sh --install-cert -d <your_fqdn> --reloadcmd /path/to/deploy_freenas.py. It will still pick up and save the reload command in your configuration, and run it next time it renews the cert.
 
Top