Using certbot to obtain Let's Encrypt certificates

[melonion]

I found https://www.truenas.com/community/t...-lets-encrypt-with-truenas-scale-21-04.92667/ and https://www.youtube.com/watch?v=TJ5fDiDRcbU, but I am not using Cloudflare, and I don't see why my NAS would need access to my DNS Provider anyways.

Similar to https://www.truenas.com/community/threads/lets-encrypt-certbot-support-for-https.43849/ but my TrueNAS Scale system is already "directly exposed to the Internet" with a DNS record pointing to it, so it shouldn't be any challenge to obtain a certificate.

I saw in Credentials>Certificates>ACME DNS-Authenticators that I can add a "shell" authenticator, but I do not see any info on how that would work.

 

[sretalla]

I don't see why my NAS would need access to my DNS Provider anyways.

You only need the proof that you own the domain...
You can either use the DNS method (requiring access to your DNS provider) or use one of the other methods (like HTTP, which requires you to set up the well-known challenge area on your domain's webserver and integrate with it to allow the creation of files there during the certificate request)

 

[melonion]

> on your domain's webserver

Well, certbot can be ran standalone, where it spins up its own temporary webserver. I do not have an active webserver running besides the TrueNAS Scale Web UI.

 

[sretalla]

Then the http verification method isn't for you and we're back to the discussion about using DNS to verify.

 

[melonion]

But why? I could always use it just fine on any server like this, as I said with certbot standalone. I don't understand why TrueNAS Scale wouldn't be able to simply call that.

 

[sretalla]

But why? I could always use it just fine on any server like this, as I said with certbot standalone. I don't understand why TrueNAS Scale wouldn't be able to simply call that.

I'm not here to explain everything to you, but I suspect you're talking about doing this sort of thing: https://www.truenas.com/community/threads/tls-certificates-from-a-local-certificate-authority.93638/

As you can see, on CORE that's possible with the custom work done by forum members.

I don't see evidence that the same work was done for SCALE yet.

Feel free to do that work.

 

[danb35]

my TrueNAS Scale system is already "directly exposed to the Internet" with a DNS record pointing to it,

Very unwise configuration. The TrueNAS UI is not intended, designed, or hardened for such an application.

I don't see why my NAS would need access to my DNS Provider anyways.

As noted above, control of your DNS is one of the ways you can demonstrate domain control in order to get a cert--and since the TrueNAS UI should always be on a protected network, it's the only method that really is appropriate for TrueNAS. What's a bit of a problem is that TrueNAS only directly supports two DNS providers, though Bluefin adds an option for "script" that I don't know has been played with much yet.

If you use a different DNS provider that also has an API that would allow programmatic changes to the records, it's likely that acme.sh supports it, and in that case this would likely work for you:

Let's Encrypt with FreeNAS 11.1 and later

Integrating Let’s Encrypt TLS Certificates with FreeNAS FreeNAS has long had the ability to use HTTPS for the web GUI, but that has usually meant dealing with self-signed certificates and the associated headaches, or paying for a commercial...

www.truenas.com

The deployment script does work under SCALE as reported by many users.

If you insist on using HTTP validation, I expect the basic approach I used under CORE (in the link above) should still work, but might need some adjustments to some of the paths.