Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

For those of you who have an old-school BIND server:

```
ssh root@nas.nono.io
scp cunnie@ns-he.nono.io:/usr/local/etc/namedb/letsencrypt.key .
chmod 400 letsencrypt.key
curl https://get.acme.sh | sh
exit
ssh root@nas.nono.io
git clone https://github.com/danb35/deploy-freenas
printf "[deploy]\npassword = YourPassword\n" > deploy-freenas/deploy_config
chmod 400 deploy-freenas/deploy_config
bash
# Don't try elliptic curve! Error formatting alert: 'HTTP server does not support certificates with keys shorter than 1024 bits. HTTPS cannot be enabled until a 1024 bit keylength or greater certificate is added # elliptic curve cryptography for the win! But need
export NSUPDATE_SERVER="ns-he.nono.io"
export NSUPDATE_KEY="/root/letsencrypt.key"
.acme.sh/acme.sh --issue \
-d nas.nono.io \
--dns dns_nsupdate \
--reloadcmd /root/deploy-freenas/deploy_freenas.py
.acme.sh/acme.sh --cron --home /root/.acme.sh
```
im getting a Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:malformed",
"details": "error creating new order :: invaild character in DNS name",
"Status": 400

the command i ran is acme.sh --issue -d fqdn_of_freenas_box --standalone --httpport 8675 --reloadcmd "/root/deploy-freenas/deploy_freenas.py"

any help please ?
danb35
danb35
The message would appear to be telling you that the FQDN you've entered is invalid. Is this an actual public domain you own?
Has been working well for ages but I just had an issue where the certificate wasn't updated automatically and thought I would share the fix in case anyone else had the same problem. I ran deploy_freenas.py manually and got a 409 error and so I went to System - General in the FreeNAS GUI and tried update the certificate manually there and it turned out that there was a problem with my config (IPv6 address was invalid). Once I fixed that the script ran successfully and life was good again.
Got everything working, except when it came to my password. Turns out, you can't use certain special characters in your root password, or this script blows up. The ones I found were "%", "(", and ")".

Everything else was perfect.

I'm using Amazon Route 53 for my DNS, and the only complaint I have is that I can't use `ddclient` with it (out of the box, anyway...apparently there are workarounds) to keep my domain's IP up to date.
works as intended
I'm getting a 500 error (importing certificate). [root@freenas ~]# /root/deploy_freenas.py
Error importing certificate!
<Response [500]>
[root@freenas ~]#

Ideas?
Had a chance to finally test this yesterday and it works like a charm. Thanks for the effort!
Great resource, covered all it needed to and easy to follow.

I very much appreciated the advice on using CloudFlare DNS, I didn't know they had a free DNS hosting service, so pleased to have moved my domain NS over to that.

One suggestion I would have is, if you're like me and were previously using 'freenas.local' rather than freenas.domain.tld - get that working beforehand. I half did it during the implementation and it caused a bunch of weird errors with deploy_freenas.py when it couldn't actually access freenas using the name I'd provided. (lack of setting up those A records / host file appropriately beforehand).

I also got some errors about root having no crontab during install of acme.sh but I assume that's expected.
Excellent how-to, does what says on the tin.
Top