Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
In addition to adjusting the paths in deploy_config, you could just run the script from inside the jail. Or mount storage to the jail, so that it can see /root/.acme.sh/. Or, as you mentioned, create symlinks there for the script to see. Lots of ways to skin this cat.
 

Darren David

Explorer
Joined
Feb 27, 2014
Messages
51
Does running the script within the jail do what it needs to do with the higher-level system processes (i.e. installing the scripts in the right place so the system knows how to use them?) or is it contained within the jail? I guess I'm not actually sure what the deploy_freenas.py script does that requires the root password, and am assuming that running it all within the jail means that the rest of the system won't have access to the certs (e.g. the deploy_freenas.py script fails at the end when running in the jail)

Maybe a better question is what the difference is between acme.sh and deploy_freenas.py?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Maybe a better question is what the difference is between acme.sh and deploy_freenas.py?
acme.sh is the ACME client that obtains the cert from Let's Encrypt. deploy_freenas.py deploys that cert to your FreeNAS installation using the FreeNAS API.
Does running the script within the jail do what it needs to do with the higher-level system processes
Yes--you just need to tell the script how to reach your FreeNAS installation. If you're running the script on FreeNAS directly (i.e., not in a jail), that would be at "http://localhost"; in a jail, you'd substitute the IP address for your FreeNAS server.
 

Toast

Dabbler
Joined
Jun 17, 2014
Messages
16
Pretty new to this. What web hosting service is recommended that use acme challenge? A web host service is needed for my new domain name correct?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
A web host service is needed for my new domain name correct?
No, you don't need a web host. A web host is when you want to put a web site on a remote server, while you aren't hosting anything remotely. You need a domain name and DNS service--ideally, DNS service with an API that's supported by acme.sh.

I use easydns.com for my domain registrar, and Cloudflare for DNS service. EasyDNS will give you the DNS service for free, but they don't have an API. Cloudflare is also free (at least for personal use), and has a well-supported API. Cost for going this route will be about $15/year for the domain. I don't think this would be too practical unless you have a static IP address, though.

If you don't have a static IP address, you'll probably want to use a dynamic DNS service, and I don't have any recent experience with any of them. I'd compare what you find with a Google (or search engine of choice) search for "free dynamic DNS" with the supported APIs for acme.sh and try to find one with a supported API.
 

Toast

Dabbler
Joined
Jun 17, 2014
Messages
16
Thank you for putting me on the right path. I'll check it out tonight.
 

txr13

Cadet
Joined
Mar 30, 2016
Messages
5
A somewhat more technical question... I'm looking at the deploy-freenas script, and I see the call to set the certificate active for the GUI.

I was hoping to extend the script to also set the same certificate active for FTP/S. The documentation at https://www.ixsystems.com/documentation/freenas/11.2/services.html#ftp-config-opts-tab indicates that a certificate can be selected in a drop-down menu, after importing it within System. However, the API documentation for FTP at http://api.freenas.org/resources/services.html#id11 indicates that the ftp_ssltls_certfile parameter accepts a certificate and private key, not a reference to an existing certificate which has already been imported.

Any ideas on how to make this work smoothly? I'm hoping I don't have to import the certificate twice. It also seems odd that the GUI offers a drop-down containing existing certificates, but the API requires you to upload a certificate directly into FTP every time you want to change the certificate selection.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Short answer is I don't know, because I haven't messed with it before. But I'm noticing a few strange things when I look at my 11.1-U5 installation (and the same appears to be true in 11.2-RC2):
  • The drop-down to choose the cert is on the "normal" settings panel, but the checkbox to enable TLS is on the "advanced" page.
  • There's no logic in the GUI to stop you if you choose no certificate but have TLS enabled--it just breaks the FTP service.
  • Listing the ftp resource doesn't actually include the ftp_ssltls_certfile parameter:
Code:
root@freenas11[~]# curl --anyauth -u root:password http://localhost/api/v1.0/services/ftp/ | python -m json.tool
  % Total	% Received % Xferd  Average Speed   Time	Time	 Time  Current
								 Dload  Upload   Total   Spent	Left  Speed
  0	 0	0	 0	0	 0	  0	  0 --:--:-- --:--:-- --:--:--	 0
100  1096	0  1096	0	 0  39142	  0 --:--:-- --:--:-- --:--:-- 39142
{
	"ftp_anonpath": "/mnt/tank",
	"ftp_anonuserbw": 0,
	"ftp_anonuserdlbw": 0,
	"ftp_banner": "",
	"ftp_clients": 5,
	"ftp_defaultroot": true,
	"ftp_dirmask": "022",
	"ftp_filemask": "066",
	"ftp_fxp": false,
	"ftp_ident": false,
	"ftp_ipconnections": 2,
	"ftp_localuserbw": 0,
	"ftp_localuserdlbw": 0,
	"ftp_loginattempt": 1,
	"ftp_masqaddress": "",
	"ftp_onlyanonymous": false,
	"ftp_onlylocal": false,
	"ftp_options": "",
	"ftp_passiveportsmax": 0,
	"ftp_passiveportsmin": 0,
	"ftp_port": 21,
	"ftp_resume": false,
	"ftp_reversedns": false,
	"ftp_rootlogin": false,
	"ftp_timeout": 600,
	"ftp_tls": true,
	"ftp_tls_opt_allow_client_renegotiations": false,
	"ftp_tls_opt_allow_dot_login": false,
	"ftp_tls_opt_allow_per_user": false,
	"ftp_tls_opt_common_name_required": false,
	"ftp_tls_opt_dns_name_required": false,
	"ftp_tls_opt_enable_diags": false,
	"ftp_tls_opt_export_cert_data": false,
	"ftp_tls_opt_ip_address_required": false,
	"ftp_tls_opt_no_cert_request": false,
	"ftp_tls_opt_no_empty_fragments": false,
	"ftp_tls_opt_no_session_reuse_required": false,
	"ftp_tls_opt_stdenvvars": false,
	"ftp_tls_policy": "on",
	"id": 1
}

 

txr13

Cadet
Joined
Mar 30, 2016
Messages
5
Short answer is I don't know, because I haven't messed with it before. But I'm noticing a few strange things when I look at my 11.1-U5 installation (and the same appears to be true in 11.2-RC2):

Hmm. Well, I have my hardware configuration ready to install 11.2-RELEASE when it drops, so I suppose I'll have to see about doing some more testing at that time. Sounds like it might be a bug, though... Thanks for taking a look at it!
 

PrincePaul

Patron
Joined
Feb 26, 2012
Messages
225
Anyone testet it with 11.2 already?

I´m using nsupdate which has a supported API, but I´m already stuck with the first step in the Readme for ACME with nsupdate:
"First, generate a key for updating the zone" Does anyone has that running? Because I guess we have different file path with FreeNAS than mentioned on github.

Someone has a hint for me ;)
Thanks in advance.
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Firstly, thanks for the write-up and scripts. I came looking for a solution as the self-signed cert I was happily using in 11.1 and before doesn't seem to work on iOS devices in 11.2.

I have a jail which I use as a reverse-proxy and where I also create all my letsencrypt certs using certbot. I've added a DNS A record for one of my domains, and created the certificate using certbot, but was wondering how to launch the script as part of the auto-renewal. I can't see anything in the certbot documentation that lets me call another script after checking the renewals.

Any ideas, or would it be easier just to schedule the freenas_deploy script every 3 months?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Check the certbot docs, but there's definitely a way to run commands after renewal succeeds--perhaps it's --renew-hook.

Edit: No, looks like it's --deploy-hook instead. That will run a command after successfully renewing a cert, which is what you'd want here. The other option would be --post-hook, which would run a command after every renewal check--you wouldn't want that, as that'd result in re-deploying the same cert every day until a new one was issued.
 
Last edited:

gary_1

Explorer
Joined
Sep 26, 2017
Messages
78
I use lexicon-hook.sh with dehydrated to run domain specific commands to activate gen'd certs. There's an example on my website https://www.mups.co.uk/post/2017/10/freenas-jails-and-lets-encrypt/

I've updated the original python script I had on there to work with freenas 11.2 api and incorporated some of dan's modifications from earlier in this thread too. With the above setup, I can gen certs for any domains I want, the jails eventually pickup on those new certs or in the case of freenas the lexicon hook installs/restarts ui etc

One downside is if you don't have ssl working, you'll need to edit the protocol to http:// for the initial run or manually upload the first cert. After that access over ssl should work fine.
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Thanks for the suggestions. My reverse-proxy jail and certbot renewals have been working really well for some months now, and I have about 9-10 certificates that renew automatically. I'll need to find something that triggers the freenas_deploy.sh when the freenas.domain.com certificate renews but not the others. I'll keep reading through the certbot docs...
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
I'll need to find something that triggers the freenas_deploy.sh when the freenas.domain.com certificate renews but not the others.
The deploy-hooks are unique to each cert. So, certbot certonly -d freenas.yourdomain --deploy-hook /path/to/deploy_freenas.py (with whatever other parameters you need for issuance) should do the job--the deploy_freenas script will only run when that cert is renewed.
 

Randy Smyth

Dabbler
Joined
Apr 9, 2017
Messages
21
I have been able to install and recieve the certificate in 11.2, where I have an issue is trying to use the deploy_freenas.py script to deploy the cert. Probably because I'm still new to all this.

I receive a message of "The deploy hook deploy_freenas.py is not found." yet it is in the very folder I am in. if I do a "ls" command it is there, but when I try to run it either directly, or called from a acme command I get file not found.

Any idea what I'm doing wrong ?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
The deploy hook deploy_freenas.py is not found." yet it is in the very folder I am in.
When you specify the deploy hook, you should give the full path to the script. Similarly, if you're running it from the command line, either give the full path, or if you're in the same directory as the script, run ./deploy_freenas.py.
 

Randy Smyth

Dabbler
Joined
Apr 9, 2017
Messages
21
danb35
Thanks or the reply.
I should have stated I had tried all those. I can be in the same directory and run the exact command you state and I get the same "no file or folder"
Ive tried setting it to 777 permissions.

root@nextcloud_2:~ # ls -l deploy_freenas.py
-rwxrwxrwx 1 root wheel 4055 Jan 20 08:56 deploy_freenas.py

Heres an example cut/paste from the freenas shell
root@nextcloud_2:~ # ls deploy_freenas.py
deploy_freenas.py
root@nextcloud_2:~ # ./deploy_freenas.py
env: python3: No such file or directory
root@nextcloud_2:~ #

using terminal instead of shell, I get the following response when I try to run it:
Traceback (most recent call last):​
File "./deploy_freenas.py", line 58, in <module>​
with open(PRIVATEKEY_PATH, 'r') as file:​
FileNotFoundError: [Errno 2] No such file or directory: '/root/.acme.sh/jaret.dynu.net/jaret.dynu.net.key'​

But the file "jaret.dynu.net.key" is clearly in the "/root/.acme.sh/jaret.dynu.net" folder....... so im confused

Edit: ok found the issues with the key file locations in the deploy-config file. Having a leading /root/ in the path was killing it.
Now I have other issues and have exceeded the number of tries. will try after timeout resets.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Now I have other issues and have exceeded the number of tries
There's no need to reissue the cert every time you try the deploy script. But why are you running the script in your Nextcloud jail?
 

Randy Smyth

Dabbler
Joined
Apr 9, 2017
Messages
21
I installed nextcloud, and let's encrypt all in a single jail based upon previous tutorials on this site.
 
Top