LetsEncrypt certs instead of self-signed

[Inxsible]

When I first installed FreeNAS, I used self-signed certs. I am planning on migrating to SSL certs from LetsEncrypt and just wanted to confirm 1 thing.
FreeNAS has it's own self-define CAs & Certificates when using self-signed and it also allows the setup of ACME DNS within the WebUI. Is this the only recommended way to set up SSL?

I already have a separate proxmox box with a container running caddy2 as a reverse proxy and it handles SSL for a bunch of my services. I was wondering if I can use the same reverse proxy to setup SSL certs for my FreeNAS box as well and also the jails within FreeNAS -- if that's possible.


Thanks,

 

[Basil Hendroff]

I was wondering if I can use the same reverse proxy to setup SSL certs for my FreeNAS box as well and also the jails within FreeNAS -- if that's possible.

I use Caddy2 for the jails. I haven't been successful in getting FreeNAS to securely work with Caddy. For FreeNAS, you might want to try @danb35's Let's Encrypt with FreeNAS 11.1 and later

 

[Inxsible]

you might want to try @danb35's Let's Encrypt with FreeNAS 11.1 and later

Yes, I had seen that tutorial, which is what led me to my question about what was the recommended way.

Can you tell me what issues you faced when trying to set up SSL for FreeNAS itself?

 

[Basil Hendroff]

Refer to this post...

Let's Encrypt with FreeNAS 11.1 and later

Why hasn't dan35b suggested using Caddy to achieve the same thing even more simply?' You'll notice that I wrote this resource first--I wasn't thinking about reverse proxies at all at the time The real issues I had in mind in the reverse proxy guide were Services operating on strange...

www.ixsystems.com

 

[Inxsible]

So my goal was to only not have a browser error when getting to the login page for FreeNAS. I was able to do that by using my caddy container as a reverse proxy to the FreeNAS url. Works like a charm.

I tried the same thing with my Proxmox and the pfSense URLs and they failed. So my presumption is that Proxmox and pfSense require the SSL certs to be within their own system/location for it to be able to use it for the login page whereas FreeNAS doesn't have that hard requirement.

I still have the self signed certs within FreeNAS because I was afraid to just delete them -- but at least when I get to the FreeNAS login page, it shows me the LetsEncrypt certificate.

The internal certs might still be used by FreeNAS for it's own secure connections etc and to use a trusted CA there like LetsEncrypt we might still have to use the in-built ACME script -- but for now, that's not something that I am concerned about.

 

[danb35]

The internal certs might still be used by FreeNAS for it's own secure connections etc

It isn't.

to use a trusted CA there like LetsEncrypt we might still have to use the in-built ACME script

You don't.

And both pfSense and Proxmox are entirely capable of obtaining their own certs from Let's Encrypt, which I'd recommend.

 

[Inxsible]

It isn't.

You don't.

And both pfSense and Proxmox are entirely capable of obtaining their own certs from Let's Encrypt, which I'd recommend.

Thanks @danb35. That would mean I can delete the self signed certs that I had created when I first installed FreeNAS without issue.

As for pfSense and Proxmox -- you mean that I should use their internal ACME.sh mechanism to set up the LetsEncrypt certs and not use a caddy server as reverse proxy, correct?

 

[danb35]

you mean that I should use their internal ACME.sh mechanism to set up the LetsEncrypt certs and not use a caddy server as reverse proxy, correct?

That's what I'd do. I wouldn't use a reverse proxy for the sole purpose of providing TLS termination for services that are perfectly capable of doing it on their own and managing their own certificates. That may not be the best-informed opinion, but that's how I'd do it.

 

[Inxsible]

That's what I'd do. I wouldn't use a reverse proxy for the sole purpose of providing TLS termination for services that are perfectly capable of doing it on their own and managing their own certificates. That may not be the best-informed opinion, but that's how I'd do it.

Makes sense. I was just trying it out via the reverse proxy, because I already had one and it was already managing the TLS for a bunch of other services. I thought it would be easier to manage/fix in one place, rather than going to 4-5 different places to fix anything -- freenas, proxmox, pfsense etc.