LetsEncrypt WebGUI SSL... - Need info on OpenSSL transformation of Private Key...

[jsylvia007]

Howdy all...

Is there any way to update the WebGUI ssl cert without using the web gui?

I recently got bitten by the StartCOM SSL bug, and switched ALL my internal systems over to Let's Encrypt.

The is the last one that I can figure out... Even pfsense supports this.

I have another linux box configured to download the actual certs, what I need now, is to somehow get them over to FreeNAS and restart the web gui...

Anyone accomplished this?

 

[Jailer]

Any way that I know of uses automation via cerbot. Without support from FreeNAS anything you set up on the base system, which isn't recommended, will be overwritten as soon as you apply an update.

Exposing the web GUI isn't generally recommended but it might not hurt to add a feature request to add letsencrypt support to FreeNAS.

 

[jsylvia007]

Any way that I know of uses automation via cerbot. Without support from FreeNAS anything you set up on the base system, which isn't recommended, will be overwritten as soon as you apply an update.

Exposing the web GUI isn't generally recommended but it might not hurt to add a feature request to add letsencrypt support to FreeNAS.

So... I have most of it figures out, although I cant figure out how to update a text field in the sqlite config database from the command line...

I'm sooooo close.

I have cerbot working to use a dns-01 challenge on a Linux box to generate the cert...

Now all I have to do is figure out how to update the existing entry in the config database. I already know how to re-read the config and restart the webgui...

Anyone know how to update a text field properly from the command line?

 

[Jailer]

Anyone know how to update a text field properly from the command line?

I wouldn't do that. You're going to break FreeNAS.

 

[jsylvia007]

I wouldn't do that. You're going to break FreeNAS.

I appreciate your concern but this isn't a mission critical box. Its just used at home.

With the proper care,its actually not that destructive. Once the first certificate is uploaded successfully via the GUI, all you have to do is update the two text fields associated with the certificate, re-read the config and restart the webgui...

That coupled with backups and taking a copy of the original config off before making the change greatly increases the odds for success.

 

[Jailer]

Well as long as you have all your bases covered and know the risk then you should be OK. Report back and let us know how it works. Your use case may be a good example for a feature request.

 

[jsylvia007]

Well as long as you have all your bases covered and know the risk then you should be OK. Report back and let us know how it works. Your use case may be a good example for a feature request.

I definitely will! I'm hoping this catches the eye of a sqlite3 command line guru haha!

 

[jsylvia007]

BUMP... Is there nobody out there who would help me with this? Surely someone in this community knows sqlite3 command line!

 

[jsylvia007]

I've made progress!!!

Basically, I have found a way to update the config, with the new config, BUT, I've hit a new snag with how certs are working... It seems, that when using the webGUI, certificate files are created in /etc/certificates... The problem seems to be that the Private Key is being re-organized in some way. The one that is entered in the GUI isn't the one that's in /etc/certificates/KEY_NAME.key, it's been transformed in some way. I don't know enough to know what to do from here, but I assume there is some openssl command that's run to translate it from what I enter in the private key field to what gets output as the KEY file in /etc/certificates...

Any ideas?

If I can get through this last little piece, we should have a working solution...

 

[airflow]

I wrote a HOWTO explaining how to achieve what you want.
Read it here: https://forums.freenas.org/index.ph...ficates-for-freenas-using-lets-encrypt.55276/

PS: The private key is not transformed in any way, to my knowledge. I use the private key exactly as it's generated by certbot and link it to FreeNAS' config.

 

[jsylvia007]

I wrote a HOWTO explaining how to achieve what you want.
Read it here: https://forums.freenas.org/index.ph...ficates-for-freenas-using-lets-encrypt.55276/

PS: The private key is not transformed in any way, to my knowledge. I use the private key exactly as it's generated by certbot and link it to FreeNAS' config.

This how-to is excellent. My misunderstanding was coming from the fact that I was positive that I needed to get the certificate into the config, which appears to not be the case. I just need to use the tunable and create a directory (which I ironically already have because my FreeNAS hosts all the certificates for all the other servers already).

I'm going to try this tonight.

I'll report back after it's rolled and updated, which I think is next month.

EDIT: Got home and rolled those changes in... Restarted after removing old certificates and adding in one I just call "LE". I created the necessary symlinks, restarted the services, and then ultimately the server to verify all worked as expected. All checked out perfectly.

My certificates roll in July... So I should know then if the changes will stick and will roll to the new certificate. I will report back.

EDIT: Actually they roll in Sept. So I will update then...

 

[jsylvia007]

So my update is that this works like a charm. I swiched from dehydrated over to acme, and the process still works great!!

EDIT: Forgot to mention! I just updated to FreeNAS 11-U3, and everything survived the update as well.