thanks danb35, i am sending emails now. (i wanted to raise alerts in UI first). i can't get this acme tool out of /root. even when i rellocated and change configuration it will stick to /root folder. also has trouble running via sudo and cron. the issue is /root is on unencrypted usb flash, and i'm tired of giving out more and more keys (e.g. cloudflare key) to "public". since jails are on encrypted system dataset, i think i should follow this method.
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
[HOWTO] configure official certificates for FreeNAS using Let's Encrypt
- Thread starter airflow
- Start date
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
acme.sh can live anywhere.
git clone the repo, then do ./acme.sh --install --home /path/to/wherever, and it will be installed to that location. Similarly, the deploy script can live anywhere. Either, or both, of these scripts can be on an encrypted pool. None of these things need to live in /root/. I remain unconvinced that there's any reason to put either script in a jail, unless you need to do the standalone validation.true, and cron also has to use --home parameter. so finicky!
also it adds endless aliases to .rc files, won't upgrade .conf correctly, and it launches --reloadcmd in case certificate refresh is not needed. so i check exit code instead[[ ! $? == 2 ]] && <..mail about certificate was updated or another error..> || exit 0 i give up on this, this is unscriptable.. it's promising exit code 2 in logs, gives 0.. without reload_cmd it still calls deploy_freenas (from root again), without any reference in acme folder or rc. and deploy_freenas would have tons of hardcoded references to /root. this is too much, i will simply wait for cloudflare ACME in UI:)
also it adds endless aliases to .rc files, won't upgrade .conf correctly, and it launches --reloadcmd in case certificate refresh is not needed. so i check exit code instead
Last edited:
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
deploy_freenas has no hardcoded references to /root/ that can't be overridden in the config file.
As to the issues you're seeing with acme.sh, I have no idea what's going on, and it certainly isn't my experience with that client. There are certainly other clients you could use, though acme.sh does have about the best DNS API support.
I hope we'll see that soon--and acme-dns as well. And if it supports limited Cloudflare API keys, which are now possible, so much the better.
