AndroGen
Dabbler
- Joined
- Jan 19, 2019
- Messages
- 47
Hi All,
I need your help because as I feel a bit lost in a big picture, even after hours and hours of reading here an on few other forums.
It is about "Let’s Encrypt" and getting the TSL / SSL certificates being deployed on the TrueNAS (and few other systems).
Here is the setup
Entire network is behind 2 firewalls (2 NATs) – first one from ISP and cannot be set to the "model only", and second – pfSense.
Internal DMZ is clustered (physically or by VLANs). Multiple TrueNAS instances are in one of these clusters. None of them is exposed to the internet.
This is a status quo.
Desire: to move to "official" TSL / SSL certificates and switch some/most of the connectivity to certificate based.
Additional plans (some are not yet certain):
To move to the central authentication platform that all network members can have SSO and access to all resources including TrueNAS after the SSO authentication. Authelia is under evaluation, but at its rather early stage – any suggestion would be appreciated (but this would be a bonus the the main question).
Introduce a VPN to the restricted set of internal resources that documents can be uploaded / accessed from the remote location, also using some synchronization software (main consideration: Syncthing).
What is not really clear:
How to get the TSL / SSL Certificates to the TrueNAS instances as they are not reachable from the internet.
yes, I've seen this one (and few others):
https://www.truenas.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/
I’ve read this article, but still could not get the bugger picture around the set-up.
How to overcome this restriction without exposing TrueNAS to the internet – it is still not clear.
Some additional articles refer to the Cloudflare and some sort of API… how this work is still not completely clear, and does this mechanism work with other DNS provides? How could I check it?
Another area which is not completely clear: what domain names to be used for NAS systems.
I am about to acquire a public domain and link it to a small blog site (hosted somewhere).
But what’s about other systems (including FreeNAS)? Should I give them subdomain names and use dynamic DNS for them? Do I need to “register” the sub-domains, especially for TreuNAS systems? Or this is my own and free decision, and no need to request subdomain names?
Will these “self-declared sub-domains work with "Let’s encrypt"?
Another bothering question:
Would it make sense / be advisable to deploy "another" reversed proxy between Firewall and e.g. FreeNAS where Syncthing is going to be up and running, as an extra security layer?
Sorry, if these story looks a bit not completely thought through… this is where a bugger picture does not come together for me yet.
Your help and suggestions would be very much appreciated.
I need your help because as I feel a bit lost in a big picture, even after hours and hours of reading here an on few other forums.
It is about "Let’s Encrypt" and getting the TSL / SSL certificates being deployed on the TrueNAS (and few other systems).
Here is the setup
Entire network is behind 2 firewalls (2 NATs) – first one from ISP and cannot be set to the "model only", and second – pfSense.
Internal DMZ is clustered (physically or by VLANs). Multiple TrueNAS instances are in one of these clusters. None of them is exposed to the internet.
This is a status quo.
Desire: to move to "official" TSL / SSL certificates and switch some/most of the connectivity to certificate based.
Additional plans (some are not yet certain):
To move to the central authentication platform that all network members can have SSO and access to all resources including TrueNAS after the SSO authentication. Authelia is under evaluation, but at its rather early stage – any suggestion would be appreciated (but this would be a bonus the the main question).
Introduce a VPN to the restricted set of internal resources that documents can be uploaded / accessed from the remote location, also using some synchronization software (main consideration: Syncthing).
What is not really clear:
How to get the TSL / SSL Certificates to the TrueNAS instances as they are not reachable from the internet.
yes, I've seen this one (and few others):
https://www.truenas.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/
I’ve read this article, but still could not get the bugger picture around the set-up.
How to overcome this restriction without exposing TrueNAS to the internet – it is still not clear.
Some additional articles refer to the Cloudflare and some sort of API… how this work is still not completely clear, and does this mechanism work with other DNS provides? How could I check it?
Another area which is not completely clear: what domain names to be used for NAS systems.
I am about to acquire a public domain and link it to a small blog site (hosted somewhere).
But what’s about other systems (including FreeNAS)? Should I give them subdomain names and use dynamic DNS for them? Do I need to “register” the sub-domains, especially for TreuNAS systems? Or this is my own and free decision, and no need to request subdomain names?
Will these “self-declared sub-domains work with "Let’s encrypt"?
Another bothering question:
Would it make sense / be advisable to deploy "another" reversed proxy between Firewall and e.g. FreeNAS where Syncthing is going to be up and running, as an extra security layer?
Sorry, if these story looks a bit not completely thought through… this is where a bugger picture does not come together for me yet.
Your help and suggestions would be very much appreciated.