SSL Certificates - help with a big picture needed

[AndroGen]

Hi All,

I need your help because as I feel a bit lost in a big picture, even after hours and hours of reading here an on few other forums.
It is about "Let’s Encrypt" and getting the TSL / SSL certificates being deployed on the TrueNAS (and few other systems).

Here is the setup

Entire network is behind 2 firewalls (2 NATs) – first one from ISP and cannot be set to the "model only", and second – pfSense.
Internal DMZ is clustered (physically or by VLANs). Multiple TrueNAS instances are in one of these clusters. None of them is exposed to the internet.
This is a status quo.

Desire: to move to "official" TSL / SSL certificates and switch some/most of the connectivity to certificate based.

Additional plans (some are not yet certain):

To move to the central authentication platform that all network members can have SSO and access to all resources including TrueNAS after the SSO authentication. Authelia is under evaluation, but at its rather early stage – any suggestion would be appreciated (but this would be a bonus the the main question).
Introduce a VPN to the restricted set of internal resources that documents can be uploaded / accessed from the remote location, also using some synchronization software (main consideration: Syncthing).

What is not really clear:
How to get the TSL / SSL Certificates to the TrueNAS instances as they are not reachable from the internet.
yes, I've seen this one (and few others):
https://www.truenas.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/
I’ve read this article, but still could not get the bugger picture around the set-up.
How to overcome this restriction without exposing TrueNAS to the internet – it is still not clear.
Some additional articles refer to the Cloudflare and some sort of API… how this work is still not completely clear, and does this mechanism work with other DNS provides? How could I check it?

Another area which is not completely clear: what domain names to be used for NAS systems.
I am about to acquire a public domain and link it to a small blog site (hosted somewhere).
But what’s about other systems (including FreeNAS)? Should I give them subdomain names and use dynamic DNS for them? Do I need to “register” the sub-domains, especially for TreuNAS systems? Or this is my own and free decision, and no need to request subdomain names?
Will these “self-declared sub-domains work with "Let’s encrypt"?

Another bothering question:
Would it make sense / be advisable to deploy "another" reversed proxy between Firewall and e.g. FreeNAS where Syncthing is going to be up and running, as an extra security layer?

Sorry, if these story looks a bit not completely thought through… this is where a bugger picture does not come together for me yet.

Your help and suggestions would be very much appreciated.

 

[danb35]

How to overcome this restriction without exposing TrueNAS to the internet – it is still not clear.

I'm not sure what isn't clear about it (and if you have questions about that resource, it'd be better to raise them on that thread), but there are two relevant ways to validate control over your domain for Let's Encrypt (and you must own or control a public domain in order to get a cert at all):

• Respond appropriately to a query to http:/$DOMAIN/.well-known/acme-challenge/longstring
• Create a DNS TXT record at _acme-challenge.$DOMAIN with specified contents

...where in either case $DOMAIN is the complete fully-qualified domain name for which you're seeking the cert, including any relevant subdomain. Whichever method you choose must be repeated roughly every 60 days, so it effectively needs to be automated.

Some additional articles refer to the Cloudflare and some sort of API… how this work is still not completely clear, and does this mechanism work with other DNS provides?

Did you not read the resource you linked to? Because if I'm not mistaken, it links to the page in the acme.sh docs that lists all 130+ DNS providers with supported APIs:

dnsapi

A pure Unix shell script implementing ACME client protocol - acmesh-official/acme.sh

github.com

Another area which is not completely clear: what domain names to be used for NAS systems.

Any public domain that you own, including any hostname in that domain you choose to use. But Let's Encrypt will only issue certs for public domains, so you can't use something like freenas.local.

Do I need to “register” the sub-domains, especially for TreuNAS systems?

I don't know what you mean by "register" here.

 

[winstontj]

AndroGen: I seriously feel for you. Most of the tutorials out there don't deal with what you are asking about.

Break it out into steps or parts and think about it really really really K.I.S.S. Assuming you have one public IP address, then you have only one machine that is public and has access to public ports 80 & 443... So use PfSense to get ALL of your certificates.

Break it down into pieces. Use pfsense to get all certs --now all your certs are on pfsense in /conf/acme directory.

So next, move your certs off of pfsense, or from pfsense to the destination machine. (here's a link: https://blog.barclayhowe.com/letsencrypt-ssl-certificate-pfsense-internal-linux-server/)

You shouldn't need to expose your truenas to the internet, just let pfsense do it. At home we use a bunch of dns providers. I use afraid.org and she uses cloudflare and godaddy for her domains. PfSense allows you to setup for each of those providers and pull LE certificates. We have a combination of wildcards, sub domains, domains, etc. Just do something to get yourself started because the certs will expire in 60 days (90 but pfsense pulls new certs every 60 by default) so you can always add/change your certs later.

Domains and sub-domains can be whatever you want:
truenas1.yourdomain.tld
truenas2.yourdomain.tld
windows1.yourdomain.tld

You can accomplish that with one wildcard certificate or if you need to, individual certs for each machine. It all depends on what requirements you have.

Hope that helps