Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
The dns manual mode can not renew automatically, you must issue it again manually.
This is the core of your problem. If you're using the DNS validator, for this to work, you really need to be using a DNS host with a supported API so that renewals can happen automatically.
 

jsherm101

Dabbler
Joined
Nov 25, 2016
Messages
20
No; as 11.2 hasn't been released yet it isn't possible to test with that version. But the errors you're posting look like your server is refusing connections on port 80. Do you have HTTP enabled in the GUI, or only HTTPS?

doh, i don't use port 80 for my server and didn't realize that it expects port 80 in the guide :) I switched it over to 80/443 on my machine that runs nightly builds and it was successful. Would adding a PORT variable and adding PROTOCOL + DOMAIN + PORT work when I want to renew my certs on a different port?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
Would adding a PORT variable and adding PROTOCOL + DOMAIN + PORT work when I want to renew my certs on a different port?
I hadn't considered the possibility of people running on non-standard ports. I expect it's possible, though it might be a while before I add it.

Edit: A workaround could be to add the port to the DOMAIN_NAME variable:
Code:
DOMAIN_NAME = "your_fqdn:port"

That wouldn't be a very intuitive use of that variable, but it should accomplish what you're trying to do.
 

jsherm101

Dabbler
Joined
Nov 25, 2016
Messages
20
I hadn't considered the possibility of people running on non-standard ports. I expect it's possible, though it might be a while before I add it.

Edit: A workaround could be to add the port to the DOMAIN_NAME variable:
Code:
DOMAIN_NAME = "your_fqdn:port"

That wouldn't be a very intuitive use of that variable, but it should accomplish what you're trying to do.

good idea, thanks. This needs just the HTTP port equivalent, right?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
This needs just the HTTP port equivalent, right?
Whichever protocol you're going to use. Though there are reports of people having trouble with HTTPS that I haven't tracked down yet.
 

suivax

Cadet
Joined
Apr 20, 2018
Messages
9
I'm trying to get this working with my setup. Can someone shed some light on where I get this fullchain.cer? Is that generated from Let's Encrypt? I looked on the domain manager from the place I bought my domain and there isn't any type of record for this. Nothing in FreeNAS that I see.

FULLCHAIN_PATH = "/root/.acme.sh/your_fqdn/fullchain.cer"

It's misleading that they mention having this information before you actually generate it.. If that's the case.

Thanks guys!
 

xxsj

Dabbler
Joined
Aug 2, 2014
Messages
26
It would be great for this to support issuance of multiple hostnames for jails, I wrote a second cron that also creates the passworded certificate format needed for plex:

Code:
#!/bin/bash
/root/.acme.sh/acme.sh --issue -d plex_fqdn --dns dns_cf
openssl pkcs12 -export -out /path/to/jails/plexmediaserver_1/root/certificate.pfx -inkey /root/.acme.sh/plex_fqdn/plex_fqdn.key -in /root/.acme.sh/plex_fqdn/fullchain.cer -certfile /root/.acme.sh/plex_fqdn/plex_fqdn.cer -passout pass:superSecretPasswordThatGoesInPLEXConfig
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
It would be great for this to support issuance of multiple hostnames for jails,
Multiple hostnames are easy, just add them to the acme.sh issue command with additional -d flags. And once you've issued that cert, the same cron job will renew it. Although really, you probably want separate certs for each jail, so issue them separately--the cron job will still take care of renewal. The issue is with installing the newly-issued cert in the various jails, and that's probably best handled with the --post-hook or related flags.
 

Hazza

Cadet
Joined
Feb 11, 2015
Messages
7
I wrote a second cron that also creates the passworded certificate format needed for plex

Note also that acme.sh can do this natively too:
Code:
acme.sh  --toPkcs -d plex_fqdn.example.com --password Pa$$w0rd123
You can have acme.sh carry out these secondary commands automatically without needed a second cron job. Access the directory where the certs are generated, and you will find a file 'plex_fqdn.example.com.conf' - just edit this to refer to whatever scripts you need as per https://github.com/Neilpang/acme.sh...post-hook',-'--renew-hook'-and-'--reload-cmd'
Then call the cron command with --force to update the certificates.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
Major update to the script today--its configuration has been broken out into a separate config file, so that you can update the script using git pull without losing your configuration. See the update for more details.
 

jFlatz

Dabbler
Joined
Jan 25, 2017
Messages
17
So is standalone still not supported? I just followed your guide and I get a prompt to install socat.
 

jFlatz

Dabbler
Joined
Jan 25, 2017
Messages
17
Got it! Thanks!
 

wildpixel

Dabbler
Joined
Nov 7, 2017
Messages
14
when I try to run
Code:
.acme.sh/acme.sh --issue -d fqdn_of_freenas_box --dns dns_cf --reloadcmd "/path/to/deploy_freenas.py"
I get this msg "It seems that fqdn_of_freenas_box is an IDN( Internationalized Domain Names), please install 'idn' command first."

Can anyone help me? Thank you!
 

jFlatz

Dabbler
Joined
Jan 25, 2017
Messages
17
when I try to run
Code:
.acme.sh/acme.sh --issue -d fqdn_of_freenas_box --dns dns_cf --reloadcmd "/path/to/deploy_freenas.py"
I get this msg "It seems that fqdn_of_freenas_box is an IDN( Internationalized Domain Names), please install 'idn' command first."

Can anyone help me? Thank you!

I made the same mistake at first. Remember to replace fqdn_of_freenas_box with your domain that you use for freenas ex: freenas.example.com except something you actually own.
 

wildpixel

Dabbler
Joined
Nov 7, 2017
Messages
14
I made the same mistake at first. Remember to replace fqdn_of_freenas_box with your domain that you use for freenas ex: freenas.example.com except something you actually own.
Thank you! now its telling me:
[Mon Nov 5 02:15:19 -03 2018] Please install socat tools first.
[Mon Nov 5 02:15:19 -03 2018] _on_before_issue.

Do you know how I can install socat tools?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455

Darren David

Explorer
Joined
Feb 27, 2014
Messages
51
This is awesome, thank you @danb35! One question - I'm running in standalone mode in a jail, which works like a champ, but that means, of course, that the certs needed live in the jail once that process is complete. Do I just symlink the certs from the jail into the host system for deploy_freenas.py to work properly, or is there a cleaner way to handle this?
 

Darren David

Explorer
Joined
Feb 27, 2014
Messages
51
This is awesome, thank you @danb35! One question - I'm running in standalone mode in a jail, which works like a champ, but that means, of course, that the certs needed live in the jail once that process is complete. Do I just symlink the certs from the jail into the host system for deploy_freenas.py to work properly, or is there a cleaner way to handle this?

Disregard! I found the bits in
Code:
deploy_config
. Nice.
 
Top