Looking for the best way to deploy a LE cert to a TrueNAS behind a Reverse Proxy (Part 2)

GJSchaller · Jan 16, 2024

A while back, I posted this thread: https://www.truenas.com/community/t...s-core-while-also-using-reverse-proxy.101475/

Things have changed since then, and I'm looking to find a new way to deploy a LE cert to my TrueNAS, but there's a different set up this time:

- TrueNAS has a Virtual Machine running Rocky Linux / Virtualmin
- The Virtualmin VM is in my DMZ, and exposed to the Internet
- DNS for my domain (aiskon.net) is hosted by the Virtualmin VM
- TrueNAS UI (truenas.aiskon.net) is behind a Reverse Proxy on the Virtualmin VM
- The Virtualmin VM can create and renew LE certs without an issue, and I do have a cert for *.aiskon.net on the VM

What I am looking for at this point is a way to get a LE cert onto the TrueNAS and deploy it for various services (SSH, FTP, the UI for internal use, etc.). I don't seem to be able to run acme.sh from the TrueNAS itself and obtain a cert, likely because it's behind a reverse proxy. In the past, DNS was hosted by Namecheap, but now I'm hosting it locally on the VM.

What are my options to obtain a cert on the TrueNAS directly and deploy it, or copy the Wildcard cert from the VM and deploy it to the NAS?

Thank you for the guidance!

danb35 · Jan 16, 2024

GJSchaller said:
or copy the Wildcard cert from the VM and deploy it to the NAS?

My script:

GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to FreeNAS servers

Python script to automate deploying TLS certificates to FreeNAS servers - danb35/deploy-freenas

github.com

It's really designed to run on the NAS itself, but nothing prevents it from running on any other machine that can connect to the NAS via HTTP/HTTPS and run python 3.

GJSchaller · Jan 16, 2024

Thank you - I did get it working, I'll document the full way to get the cert out of the VM and into / onto the TrueNAS later this week.

GJSchaller · Jan 16, 2024

OK, so here's the basic process:

1) On the TrueNAS, set up a folder as an NFS Share
2) In the Linux VM, mount the NFS Share as a folder
3) Copy the certs from their home in the VM to the folder in the VM that is mounted to the NAS
4) On the NAS, run deploy-freenas.py, with the config set to point to the copies of the certs

Examples:
Dataset on NAS: /mnt/data/backups/websites (I had this already so the VM could back up to a storage area outside of itself, the VM is a Web Server)
Folder in VM: /mnt/backups (mounted to the folder above via NFS)
Under /mnt/backups, make a folder called "certs"
On the TrueNAS, this folder is visible as /mnt/data/backups/websites/certs
Anything copied into /mnt/backups/certs in the VM is visible on the NAS in /mnt/data/backups/websites/certs

Now, the remaining challenge I have is to schedule a cron job that will run when the cert is renewed, and only when it's renewed. I'll have two scripts - one the VM that copies the cert into the "certs" folder, and another on the NAS that will (hopefully) check if the certs have changed, and then run deploy-freenas.py if they have.

Can anyone offer guidance on how to script the following logic?

"If the following file has changed in the past day, run deploy-freenas.py"

I figure I can run it daily, and it'll only deploy the certs when the cert renews.

danb35 · Jan 16, 2024

GJSchaller said:
1) On the TrueNAS, set up a folder as an NFS Share
2) In the Linux VM, mount the NFS Share as a folder

Why? There's no reason that the certs need to be visible both on the NAS and on the system on which you're running deploy-freenas.py; they only need to be available on the latter, as the script will upload them to the NAS using its API.

GJSchaller said:
"If the following file has changed in the past day, run deploy-freenas.py"

Don't do this. Instead, call deploy-freenas.py using your ACME client on a successful renewal. If you're using acme.sh, you'd say --reloadcmd /path/to/deploy-freenas.py; with certbot, it'd be --post-hook /path/to/deploy-freenas.py.

GJSchaller · Jan 16, 2024

danb35 said:
Why? There's no reason that the certs need to be visible both on the NAS and on the system on which you're running deploy-freenas.py; they only need to be available on the latter, as the script will upload them to the NAS using its API.

The certs are generated within the VM, which is a webserver - it's in my DMZ, and it's generating a cert for *.aiskon.net already. Using the existing cert saves me the trouble of trying to generate a new one on the NAS, which is not exposed to the internet, and the DNS is hosted locally by the VM. I can't generate the certs from the NAS easily, it's easier to copy them from the VM to the NAS.

danb35 · Jan 16, 2024

If the machine that has the cert can access the NAS via HTTP/HTTPS, there's no need to copy the cert anywhere--just run deploy-freenas on that machine, which will handle sending the cert data where it needs to go.

GJSchaller · Jan 16, 2024

OH! That makes much more sense now, thank you!

I'll have to check and see if there's a way to post-hook deploy-freenas.py from within Virtualmin, but that's one for the Virtualmin support forum.

Important Announcement for the TrueNAS Community.

Looking for the best way to deploy a LE cert to a TrueNAS behind a Reverse Proxy (Part 2)

GJSchaller

Contributor

danb35

Hall of Famer

GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to FreeNAS servers

GJSchaller

Contributor

GJSchaller

Contributor

danb35

Hall of Famer

GJSchaller

Contributor

danb35

Hall of Famer

GJSchaller

Contributor

Similar threads