Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#21
The dns manual mode can not renew automatically, you must issue it again manually.
This is the core of your problem. If you're using the DNS validator, for this to work, you really need to be using a DNS host with a supported API so that renewals can happen automatically.
 
Joined
Nov 25, 2016
Messages
17
Thanks
8
#22
No; as 11.2 hasn't been released yet it isn't possible to test with that version. But the errors you're posting look like your server is refusing connections on port 80. Do you have HTTP enabled in the GUI, or only HTTPS?
doh, i don't use port 80 for my server and didn't realize that it expects port 80 in the guide :) I switched it over to 80/443 on my machine that runs nightly builds and it was successful. Would adding a PORT variable and adding PROTOCOL + DOMAIN + PORT work when I want to renew my certs on a different port?
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#23
Would adding a PORT variable and adding PROTOCOL + DOMAIN + PORT work when I want to renew my certs on a different port?
I hadn't considered the possibility of people running on non-standard ports. I expect it's possible, though it might be a while before I add it.

Edit: A workaround could be to add the port to the DOMAIN_NAME variable:
Code:
DOMAIN_NAME = "your_fqdn:port"

That wouldn't be a very intuitive use of that variable, but it should accomplish what you're trying to do.
 
Joined
Nov 25, 2016
Messages
17
Thanks
8
#24
I hadn't considered the possibility of people running on non-standard ports. I expect it's possible, though it might be a while before I add it.

Edit: A workaround could be to add the port to the DOMAIN_NAME variable:
Code:
DOMAIN_NAME = "your_fqdn:port"

That wouldn't be a very intuitive use of that variable, but it should accomplish what you're trying to do.
good idea, thanks. This needs just the HTTP port equivalent, right?
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#25
This needs just the HTTP port equivalent, right?
Whichever protocol you're going to use. Though there are reports of people having trouble with HTTPS that I haven't tracked down yet.
 
Joined
Apr 20, 2018
Messages
9
Thanks
0
#26
I'm trying to get this working with my setup. Can someone shed some light on where I get this fullchain.cer? Is that generated from Let's Encrypt? I looked on the domain manager from the place I bought my domain and there isn't any type of record for this. Nothing in FreeNAS that I see.

FULLCHAIN_PATH = "/root/.acme.sh/your_fqdn/fullchain.cer"

It's misleading that they mention having this information before you actually generate it.. If that's the case.

Thanks guys!
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#27
Joined
Aug 2, 2014
Messages
26
Thanks
3
#28
It would be great for this to support issuance of multiple hostnames for jails, I wrote a second cron that also creates the passworded certificate format needed for plex:

Code:
#!/bin/bash
/root/.acme.sh/acme.sh --issue -d plex_fqdn --dns dns_cf
openssl pkcs12 -export -out /path/to/jails/plexmediaserver_1/root/certificate.pfx -inkey /root/.acme.sh/plex_fqdn/plex_fqdn.key -in /root/.acme.sh/plex_fqdn/fullchain.cer -certfile /root/.acme.sh/plex_fqdn/plex_fqdn.cer -passout pass:superSecretPasswordThatGoesInPLEXConfig
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#29
It would be great for this to support issuance of multiple hostnames for jails,
Multiple hostnames are easy, just add them to the acme.sh issue command with additional -d flags. And once you've issued that cert, the same cron job will renew it. Although really, you probably want separate certs for each jail, so issue them separately--the cron job will still take care of renewal. The issue is with installing the newly-issued cert in the various jails, and that's probably best handled with the --post-hook or related flags.
 
Joined
Feb 11, 2015
Messages
7
Thanks
0
#30
I wrote a second cron that also creates the passworded certificate format needed for plex
Note also that acme.sh can do this natively too:
Code:
acme.sh  --toPkcs -d plex_fqdn.example.com --password Pa$$w0rd123
You can have acme.sh carry out these secondary commands automatically without needed a second cron job. Access the directory where the certs are generated, and you will find a file 'plex_fqdn.example.com.conf' - just edit this to refer to whatever scripts you need as per https://github.com/Neilpang/acme.sh...post-hook',-'--renew-hook'-and-'--reload-cmd'
Then call the cron command with --force to update the certificates.
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#31
Major update to the script today--its configuration has been broken out into a separate config file, so that you can update the script using git pull without losing your configuration. See the update for more details.
 
Joined
Jan 25, 2017
Messages
17
Thanks
1
#32
So is standalone still not supported? I just followed your guide and I get a prompt to install socat.
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#33
I really need to update this. Standalone mode will only work in a jail due to the need for socat.
 
Joined
Jan 25, 2017
Messages
17
Thanks
1
#34
Got it! Thanks!
 
Joined
Nov 7, 2017
Messages
14
Thanks
0
#35
when I try to run
Code:
.acme.sh/acme.sh --issue -d fqdn_of_freenas_box --dns dns_cf --reloadcmd "/path/to/deploy_freenas.py"
I get this msg "It seems that fqdn_of_freenas_box is an IDN( Internationalized Domain Names), please install 'idn' command first."

Can anyone help me? Thank you!
 
Joined
Jan 25, 2017
Messages
17
Thanks
1
#36
when I try to run
Code:
.acme.sh/acme.sh --issue -d fqdn_of_freenas_box --dns dns_cf --reloadcmd "/path/to/deploy_freenas.py"
I get this msg "It seems that fqdn_of_freenas_box is an IDN( Internationalized Domain Names), please install 'idn' command first."

Can anyone help me? Thank you!
I made the same mistake at first. Remember to replace fqdn_of_freenas_box with your domain that you use for freenas ex: freenas.example.com except something you actually own.
 
Joined
Nov 7, 2017
Messages
14
Thanks
0
#37
I made the same mistake at first. Remember to replace fqdn_of_freenas_box with your domain that you use for freenas ex: freenas.example.com except something you actually own.
Thank you! now its telling me:
[Mon Nov 5 02:15:19 -03 2018] Please install socat tools first.
[Mon Nov 5 02:15:19 -03 2018] _on_before_issue.

Do you know how I can install socat tools?
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,343
Thanks
3,646
#38
Joined
Feb 27, 2014
Messages
27
Thanks
1
#39
This is awesome, thank you @danb35! One question - I'm running in standalone mode in a jail, which works like a champ, but that means, of course, that the certs needed live in the jail once that process is complete. Do I just symlink the certs from the jail into the host system for deploy_freenas.py to work properly, or is there a cleaner way to handle this?
 
Joined
Feb 27, 2014
Messages
27
Thanks
1
#40
This is awesome, thank you @danb35! One question - I'm running in standalone mode in a jail, which works like a champ, but that means, of course, that the certs needed live in the jail once that process is complete. Do I just symlink the certs from the jail into the host system for deploy_freenas.py to work properly, or is there a cleaner way to handle this?
Disregard! I found the bits in
Code:
deploy_config
. Nice.
 
Top