The dreaded Not secure/Cert question

[bigdonk]

I am new to TrueNAS as of 3-4 months ago as well as new to servers in general. I have a test server running well and am still making some tweaks as I learn. I have recently added traefik and pihole to allow me to use a domain name instead of ip:port.

It works perfectly other than the Not Secure issue. I do own the domain I am using, but I don't want to expose it to the public. It is only used on my Home server.

I have read tons of different approaches that include Cloudfare, Lets Encrypt, etc. Every time I think I found a solution it includes other apps or services, no longer works, or seems to be designed for domains available outside the LAN.

Can someone point me in the best direction for my local only needs as well as a link to instructions to do so?

Thanks

 

[danb35]

To avoid this error, TrueNAS needs to present a certificate that's issued by a certificate authority (CA) that's trusted by your browser, and certifies the name you're using to access your NAS. This gives you two basic methods:

• Create your own CA, tell any browsers you use to trust that CA, and then issue a cert for your NAS from that CA
• Get a cert from a trusted CA for your NAS

I suspect that for the large majority of users, the latter will be the simpler way to go, but it necessarily involves at least one third party (the CA), and probably two (the other being a DNS host).

So here are the simplest instructions I can think of, using Cobia's web UI (not sure if anything relevant has changed since Bluefin, but Cobia's what I'm running):

• Host your domain's DNS at Cloudflare. Their DNS hosting service is free; you don't need the CDN or any of the fancy stuff.
• At Cloudflare, create an API token with read and write permissions for your domain
• In the TrueNAS web UI, go to Credentials -> Certificates, and Add a ACME DNS-Authenticator. Give it a name, choose cloudflare as the authenticator, and paste in your API token.
• Next, add a Certificate Signing Request. Give it a name and then click Next until you get to Certificate Subject. Fill in all the mandatory fields. The only one that matters is Subject Alternative Name, where you'd need to have the FQDN of your NAS; the others can have anything but must be filled in. Click Next through the rest of the steps and then Save.
• Then, next to the CSR you just created, click the wrench icon to create the actual certificate. Give that a name, check the box to agree to the terms of service, set Renew Certificate Days to 30 (the default of 10 is just stupid), choose Let's Encrypt Production Directory for the ACME Server, and choose the authenticator you previously created in the next dropdown. Then Save.
• After a few seconds, that should create the certificate. Once that's done, you'll need to tell TrueNAS to use it. Go to System Settings -> General, and click Settings in the GUI section. Under GUI SSL Certificate, choose the one you just created.

That should be it. TrueNAS will get a new certificate every 60 days going forward.

 

[bigdonk]

To avoid this error, TrueNAS needs to present a certificate that's issued by a certificate authority (CA) that's trusted by your browser, and certifies the name you're using to access your NAS. This gives you two basic methods:

• Create your own CA, tell any browsers you use to trust that CA, and then issue a cert for your NAS from that CA
• Get a cert from a trusted CA for your NAS

I suspect that for the large majority of users, the latter will be the simpler way to go, but it necessarily involves at least one third party (the CA), and probably two (the other being a DNS host).

So here are the simplest instructions I can think of, using Cobia's web UI (not sure if anything relevant has changed since Bluefin, but Cobia's what I'm running):

• Host your domain's DNS at Cloudflare. Their DNS hosting service is free; you don't need the CDN or any of the fancy stuff.
• At Cloudflare, create an API token with read and write permissions for your domain
• In the TrueNAS web UI, go to Credentials -> Certificates, and Add a ACME DNS-Authenticator. Give it a name, choose cloudflare as the authenticator, and paste in your API token.
• Next, add a Certificate Signing Request. Give it a name and then click Next until you get to Certificate Subject. Fill in all the mandatory fields. The only one that matters is Subject Alternative Name, where you'd need to have the FQDN of your NAS; the others can have anything but must be filled in. Click Next through the rest of the steps and then Save.
• Then, next to the CSR you just created, click the wrench icon to create the actual certificate. Give that a name, check the box to agree to the terms of service, set Renew Certificate Days to 30 (the default of 10 is just stupid), choose Let's Encrypt Production Directory for the ACME Server, and choose the authenticator you previously created in the next dropdown. Then Save.
• After a few seconds, that should create the certificate. Once that's done, you'll need to tell TrueNAS to use it. Go to System Settings -> General, and click Settings in the GUI section. Under GUI SSL Certificate, choose the one you just created.

That should be it. TrueNAS will get a new certificate every 60 days going forward.

Thank you for this detailed response. I will go the Cloudfare route and report back that I did get it working.

 

[danb35]

One other point--I mentioned above the requirement that the cert:

certifies the name you're using to access your NAS

That means that, when you're using a cert from Let's Encrypt, you must access your NAS using its FQDN, not its IP address. The cert doesn't certify the IP address, only the name.

 

[bigdonk]

One other point--I mentioned above the requirement that the cert:

That means that, when you're using a cert from Let's Encrypt, you must access your NAS using its FQDN, not its IP address. The cert doesn't certify the IP address, only the name.

Thats OK with me.

 

[bigdonk]

To avoid this error, TrueNAS needs to present a certificate that's issued by a certificate authority (CA) that's trusted by your browser, and certifies the name you're using to access your NAS. This gives you two basic methods:

• Create your own CA, tell any browsers you use to trust that CA, and then issue a cert for your NAS from that CA
• Get a cert from a trusted CA for your NAS

I suspect that for the large majority of users, the latter will be the simpler way to go, but it necessarily involves at least one third party (the CA), and probably two (the other being a DNS host).

So here are the simplest instructions I can think of, using Cobia's web UI (not sure if anything relevant has changed since Bluefin, but Cobia's what I'm running):

• Host your domain's DNS at Cloudflare. Their DNS hosting service is free; you don't need the CDN or any of the fancy stuff.
• At Cloudflare, create an API token with read and write permissions for your domain
• In the TrueNAS web UI, go to Credentials -> Certificates, and Add a ACME DNS-Authenticator. Give it a name, choose cloudflare as the authenticator, and paste in your API token.
• Next, add a Certificate Signing Request. Give it a name and then click Next until you get to Certificate Subject. Fill in all the mandatory fields. The only one that matters is Subject Alternative Name, where you'd need to have the FQDN of your NAS; the others can have anything but must be filled in. Click Next through the rest of the steps and then Save.
• Then, next to the CSR you just created, click the wrench icon to create the actual certificate. Give that a name, check the box to agree to the terms of service, set Renew Certificate Days to 30 (the default of 10 is just stupid), choose Let's Encrypt Production Directory for the ACME Server, and choose the authenticator you previously created in the next dropdown. Then Save.
• After a few seconds, that should create the certificate. Once that's done, you'll need to tell TrueNAS to use it. Go to System Settings -> General, and click Settings in the GUI section. Under GUI SSL Certificate, choose the one you just created.

That should be it. TrueNAS will get a new certificate every 60 days going forward.

So I had a few minutes to give it a go and it appears to have setup correctly. However, it is not working. I noticed the CSR I created says issuer: external - signature pending.

I am wondering if I just need to wait awhile or if I did something wrong.

EDIT: For the FQDN I used *.mydomain.com and maybe that is incorrect?

 

[danb35]

However, it is not working. I noticed the CSR I created says issuer: external - signature pending.

That's normal. The CSR will be listed as "signature pending," while the cert will be listed in the same place without that notation. E.g.:

it is not working.

...so what in particular is "not working," and in what way is it not working?

 

[bigdonk]

That's normal. The CSR will be listed as "signature pending," while the cert will be listed in the same place without that notation. E.g.:
View attachment 72399

...so what in particular is "not working," and in what way is it not working?

Ok...it is setup correctly then, but it appears to be using a treafik certificate for all my apps. When I navigate to an app via myapp.mydomain.com it correctly goes to the app, but still not secure. Then shows cert is invalid and its using traefik default.

 

[chuck32]

What do you mean by traefik default, I just skimped over Dan's explanation but it seems like that does not use traefik at all. Do you still use traefik as a reverse proxy? If so you shouldn't use it for truenas then when you setup your certs in a different way.

Do you plan to use traefik for other services? If so you could setup traefik correctly and use it for truenas without setting up anything in truenas. See my post here.

 

[bigdonk]

What do you mean by traefik default, I just skimped over Dan's explanation but it seems like that does not use traefik at all. Do you still use traefik as a reverse proxy? If so you shouldn't use it for truenas then when you setup your certs in a different way.

Do you plan to use traefik for other services? If so you could setup traefik correctly and use it for truenas without setting up anything in truenas. See my post here.

I am using traefik as the reverse proxy along with pihole to get to my apps. I was trying to get certs to work so I don't get the unsafe site/not secure prompts.

EDIT: I have multiple apps I am using these 2 services to get to via appname.domainname.com

 

[danb35]

traefik

...is something completely different, which I overlooked in your OP. In that case, none of what I posted is relevant, really. You could change the CSR to include a wildcard (*.yourdomain.com), and then use the resulting cert in each of your apps by going into the Advanced Ingress settings and selecting the cert, but that's now deprecated by TrueCharts. The directions I gave you will give you a cert that works for the TrueNAS UI, but not really for your apps.

To get certs for your apps, install clusterissuer and cert-manager. When you install clusterissuer, you'll need to add an ACME issuer. Give it a name, select Cloudflare as the DNS provider, set server, email, and API token appropriately. Once that's installed, you'll need to edit each of your apps. To make sure it's properly set up for Ingress:

• Under Networking and Services, Service Type, set to ClusterIP.
• Under Ingress, tick Enable Ingress
• Add a Host that matches the FQDN you'd use for the app, and a Path of /.
• In Cert-Manager clusterIssuer, enter the name you chose when you added the ACME issuer

You could instead use a wildcard cert, but it looks like that's kind of beta right now. Here are the docs on that:

Cluster-Wide Certificates | TrueCharts

We are happy to announce that support for cluster-wide certificates is now available for Truecharts! You can now create a single certificate and use it throughout your cluster. We call these certificates "cluster certificates".

truecharts.org

 

[chuck32]

Try to remove any configuration for truenas from traefik and see if Dan's way is working then.

Although as mentioned before, if you plan on deploying traefik for other services as well, set that up correctly and be done ;)
I'm on mobile right now, but if you share your setup I may be able to assist later.

 

[bigdonk]

...is something completely different, which I overlooked in your OP. In that case, none of what I posted is relevant, really. You could change the CSR to include a wildcard (*.yourdomain.com), and then use the resulting cert in each of your apps by going into the Advanced Ingress settings and selecting the cert, but that's now deprecated by TrueCharts. The directions I gave you will give you a cert that works for the TrueNAS UI, but not really for your apps.

To get certs for your apps, install clusterissuer and cert-manager. When you install clusterissuer, you'll need to add an ACME issuer. Give it a name, select Cloudflare as the DNS provider, set server, email, and API token appropriately. Once that's installed, you'll need to edit each of your apps. To make sure it's properly set up for Ingress:

• Under Networking and Services, Service Type, set to ClusterIP.
• Under Ingress, tick Enable Ingress
• Add a Host that matches the FQDN you'd use for the app, and a Path of /.
• In Cert-Manager clusterIssuer, enter the name you chose when you added the ACME issuer

You could instead use a wildcard cert, but it looks like that's kind of beta right now. Here are the docs on that:

Cluster-Wide Certificates | TrueCharts

We are happy to announce that support for cluster-wide certificates is now available for Truecharts! You can now create a single certificate and use it throughout your cluster. We call these certificates "cluster certificates".

truecharts.org

Ok, I will give that a try when I get a chance and see if it works.

 

[bigdonk]

...is something completely different, which I overlooked in your OP. In that case, none of what I posted is relevant, really. You could change the CSR to include a wildcard (*.yourdomain.com), and then use the resulting cert in each of your apps by going into the Advanced Ingress settings and selecting the cert, but that's now deprecated by TrueCharts. The directions I gave you will give you a cert that works for the TrueNAS UI, but not really for your apps.

To get certs for your apps, install clusterissuer and cert-manager. When you install clusterissuer, you'll need to add an ACME issuer. Give it a name, select Cloudflare as the DNS provider, set server, email, and API token appropriately. Once that's installed, you'll need to edit each of your apps. To make sure it's properly set up for Ingress:

• Under Networking and Services, Service Type, set to ClusterIP.
• Under Ingress, tick Enable Ingress
• Add a Host that matches the FQDN you'd use for the app, and a Path of /.
• In Cert-Manager clusterIssuer, enter the name you chose when you added the ACME issuer

You could instead use a wildcard cert, but it looks like that's kind of beta right now. Here are the docs on that:

Cluster-Wide Certificates | TrueCharts

We are happy to announce that support for cluster-wide certificates is now available for Truecharts! You can now create a single certificate and use it throughout your cluster. We call these certificates "cluster certificates".

truecharts.org

Had a couple mins, but already stuck at clusterissuer not installing.

Failed to install App: Error: INSTALLATION FAILED: 1 error occurred: * namespace "cert-manager" not found

I went into the Operators Catalog and tried to install cert-manager and it throws an error saying it already exists.

Ill have to mess with it later...my head hurts.

 

[bigdonk]

...is something completely different, which I overlooked in your OP. In that case, none of what I posted is relevant, really. You could change the CSR to include a wildcard (*.yourdomain.com), and then use the resulting cert in each of your apps by going into the Advanced Ingress settings and selecting the cert, but that's now deprecated by TrueCharts. The directions I gave you will give you a cert that works for the TrueNAS UI, but not really for your apps.

To get certs for your apps, install clusterissuer and cert-manager. When you install clusterissuer, you'll need to add an ACME issuer. Give it a name, select Cloudflare as the DNS provider, set server, email, and API token appropriately. Once that's installed, you'll need to edit each of your apps. To make sure it's properly set up for Ingress:

• Under Networking and Services, Service Type, set to ClusterIP.
• Under Ingress, tick Enable Ingress
• Add a Host that matches the FQDN you'd use for the app, and a Path of /.
• In Cert-Manager clusterIssuer, enter the name you chose when you added the ACME issuer

You could instead use a wildcard cert, but it looks like that's kind of beta right now. Here are the docs on that:

Cluster-Wide Certificates | TrueCharts

We are happy to announce that support for cluster-wide certificates is now available for Truecharts! You can now create a single certificate and use it throughout your cluster. We call these certificates "cluster certificates".

truecharts.org

No idea why, but Clusterissuer fails with the namespaces "cert-manager" not found after many tries.

Code:

Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 426, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 464, in __run_body
    rv = await self.method(*([self] + args))
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/service/crud_service.py", line 194, in nf
    rv = await func(*args, **kwargs)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 44, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/chart_releases_linux/chart_release.py", line 487, in do_create
    await self.middleware.call(
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1398, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1352, in _call
    return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1251, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/chart_releases_linux/helm.py", line 49, in helm_action
    raise CallError(f'Failed to {tn_action} App: {errmsg}')
middlewared.service_exception.CallError: [EFAULT] Failed to install App: Error: INSTALLATION FAILED: 1 error occurred:
    * namespaces "cert-manager" not found

 

[bigdonk]

...is something completely different, which I overlooked in your OP. In that case, none of what I posted is relevant, really. You could change the CSR to include a wildcard (*.yourdomain.com), and then use the resulting cert in each of your apps by going into the Advanced Ingress settings and selecting the cert, but that's now deprecated by TrueCharts. The directions I gave you will give you a cert that works for the TrueNAS UI, but not really for your apps.

To get certs for your apps, install clusterissuer and cert-manager. When you install clusterissuer, you'll need to add an ACME issuer. Give it a name, select Cloudflare as the DNS provider, set server, email, and API token appropriately. Once that's installed, you'll need to edit each of your apps. To make sure it's properly set up for Ingress:

• Under Networking and Services, Service Type, set to ClusterIP.
• Under Ingress, tick Enable Ingress
• Add a Host that matches the FQDN you'd use for the app, and a Path of /.
• In Cert-Manager clusterIssuer, enter the name you chose when you added the ACME issuer

You could instead use a wildcard cert, but it looks like that's kind of beta right now. Here are the docs on that:

Cluster-Wide Certificates | TrueCharts

We are happy to announce that support for cluster-wide certificates is now available for Truecharts! You can now create a single certificate and use it throughout your cluster. We call these certificates "cluster certificates".

truecharts.org

Just wanted to update you that after getting some help in truecharts discord I was able to get clusterissuer and cert-manager installed and was able to get the rest working with your instructions.

Thank you!

 

[danb35]

Good to know. What was the problem with getting cert-manager installed?

 

[bigdonk]

Good to know. What was the problem with getting cert-manager installed?

There was some remnants of a cert-manager install. I must have installed and removed it some time ago. After we cleared anything over 30 days using a shell command I was able to successfully install cert-manager and clusterissuer.

 

[bigdonk]

OK, this created an additional obstacle. I have everything working as it should, but if I set Networking-->Main Service Type to ClusterIP (Do Not Expose Ports) it breaks all my arr apps (sonarr, radarr, etc) since the ports are not exposed. I tried updating the settings in the apps to use the FQDN and it doesn't work. I have since changed back to loadbalancer with exposed ports on these apps, but I am curious if there is a way to do it using ClusterIP.

Error using http: Unable to complete application test, cannot connect to Readarr. Name does not resolve (readarr.mydomain.com:80)
Error using https: Unable to complete application test, cannot connect to Readarr. Name does not resolve (readarr.mydomain.com:443)

It adds the port numbers (80,443) on its own.

If I set qbittorrent to ClusterIP I couldn't even try to connect to it as it requires a port to connect to

Any thoughts?

 

[danb35]

I am curious if there is a way to do it using ClusterIP.

Sure is, you need to use the internal hostnames and ports. See:

Linking Apps Internally | TrueCharts

You'll often need to connect individual apps to each other to exchange data, for example: Sonarr to SABnzbd to allow Sonarr to control downloads within SABnzbd.

truecharts.org