Resource icon

Let's Encrypt with FreeNAS 11.1 and later 0.3

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Well, that isn't at all how this script is intended to be used, but it should work. Again, you don't need to issue the cert to test out the script; just run the script itself. If you're running it in a jail, you'll need to set connect_host to the IP address of your FreeNAS server, and cert/key paths will need to be as the files are seen within the jail.
 

João Dalvi

Dabbler
Joined
Jan 17, 2014
Messages
15
I issue certificates on my pfsense box, and then deploy them through SSH to the other servers. I managed to do that perfectly to every server (ubuntu, esxi, plesk), but I cant make it work on FreeNAS. This script seems to be perfectly able to do that, but pfsense only has python 2.7. Is it possible to port this script to python 2.7 easily, or will I just waste my time if I try to do that? I mean the libs imported will work on python 2.7, are them available on pfsense, etc. Or even better, if someone just know how can I just copy the certificate files into FreeNAS DB directly from the pfsense box through SSH?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Is it possible to port this script to python 2.7 easily
IIRC, the only difference is in the print() statements--Python 3 is gratuitously incompatible with Python 2, so the same syntax won't work with both.
 

João Dalvi

Dabbler
Joined
Jan 17, 2014
Messages
15
OK, but can I import the same libraries the script imports with no issue? Because if it is so, if I just change the syntax to python 2.7 it should work, right?
 
Joined
Dec 9, 2016
Messages
6
I have the script setup and working with my domain validation and what not and all was good for a renew or two but now I'm running into issues. Upon running the script with an outdated cert, I watched it update the cert but errors out when importing the cert.

Error importing certificate!
<Response [401]>

Anyone know why this would be happening? Or what logs to check to see what's really happening?
 

Stefan1970

Cadet
Joined
Dec 2, 2015
Messages
6
The latest commit gives an error:

Code:
root@storage:~ # /mnt/tank/scripts/deploy-freenas/deploy_freenas.py     
Certificate import successful
Certificate list successful
Setting active certificate successful
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 141, in _new_conn
    (self.host, self.port), self.timeout, **extra_kw)
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/connection.py", line 83, in create_connection
    raise err
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/connection.py", line 73, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 61] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 284, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 150, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x807ebf198>: Failed to establish a new connection: [Errno 61] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='storage.XXX.net', port=443): Max retries exceeded with url: /api/v1.0/services/ftp/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x807ebf198>: Failed to establish a new connection: [Errno 61] Connection refused',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/mnt/tank/scripts/deploy-freenas/deploy_freenas.py", line 142, in <module>
    "ftp_ssltls_certfile": cert,
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 126, in put
    return request('put', url, data=data, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 508, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='storage.XXX.net', port=443): Max retries exceeded with url: /api/v1.0/services/ftp/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x807ebf198>: Failed to establish a new connection: [Errno 61] Connection refused',))


Certificate is imported in the webgui and working. Doesn't matter if I've the ftp plugin enabled or disabled. I've commented out that part of the code and it works.

Strange thing is, if I manually visit https://storage.XXX.net/api/v1.0/services/ftp/ and enter my credentials, it works.
 

ykhodo

Explorer
Joined
Oct 19, 2017
Messages
52
@danb35 can I delete my deploy_config after the initial run? I'm wary of keeping the password in plaintext on disk.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
can I delete my deploy_config after the initial run?
No, it must be there every time the script runs. You can set it to only be readable by root, but I think that's the best you can do.

Maybe some day in the future FreeNAS will support access to the web GUI by multiple users, with ACLs, so you could set up a limited user whose only access would be to make this change--but that's a hopeful-future thing, not a current thing.
 

mapcevn

Dabbler
Joined
Jul 10, 2019
Messages
40
I have a domain registered at GoDaddy which is myfqdn.com and I would like to use it to login securely to my FreeNAS 11.2-U5 box.

I followed the guide as below:

bash
export GD_Key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export GD_Secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
.acme.sh/acme.sh --issue -d freenas.myfqdn.com --dns dns_gd --reloadcmd "/root/deploy-freenas/deploy_freenas.py"

The acme complained something about the installation of socat, but I ignored it as I don't use the HTTP challenge. I can see the Letsencrypt certificate
in FreeNAS, however the https below won't work
https://freenas.myfqdn.com/ui/sessions/signin


What am I missing here?
 

mapcevn

Dabbler
Joined
Jul 10, 2019
Messages
40
I've just tried to forward the port 443 to my FreeNAS box, that link works. However, it is not what I want to do as I don't want to expose my box to the internet that way.

How do I use that https login locally without using port-forwarding?
 

mapcevn

Dabbler
Joined
Jul 10, 2019
Messages
40
Ohh, never mind, I solved it. It works perfectly now.
What I did was I added the below line
192.168.1.123 freenas.myfqdn.com
into the file hosts in folder Windows\System32\Drivers\etc\
Thank you for the amazing script! Cheers
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
However you make it work, the FQDN you used for the cert needs to resolve (inside your LAN) to your FreeNAS box. Adding the entry to your hosts file is one way to do it; a better way to do it (if your router supports it) is to make a DNS entry on your router for use on your LAN.
 

mapcevn

Dabbler
Joined
Jul 10, 2019
Messages
40
Hi Dan, that's a great suggestion, thank you. However, I'm not sure how I can do it? I SSHed into my router, which is an ASUS DSL AC68u with stock firmware, and added that line into the hosts file in the folder /tmp/etc/ but it didn't work. I restarted the modem, then that line disappeared!
What is the right way to modify my modem to make this trick work?
 

mapcevn

Dabbler
Joined
Jul 10, 2019
Messages
40
[/QUOTE]
Certificate is imported in the webgui and working. Doesn't matter if I've the ftp plugin enabled or disabled. I've commented out that part of the code and it works.

Strange thing is, if I manually visit https://storage.XXX.net/api/v1.0/services/ftp/ and enter my credentials, it works.[/QUOTE]

I've just tried this ftp link, I can confirm that this link works. This is a HUGE security risk!!!

Hi Dan, can you please look at this issue?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
What is the right way to modify my modem to make this trick work?
Well, to not modify your modem. If it supports acting as a local DNS server, with individual host entries, do it that way--that's what I do on my pfSense router. If it doesn't, the hosts file you'd need to modify would be on any client devices.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I've just tried this ftp link, I can confirm that this link works. This is a HUGE security risk!!!
What is the security risk you're seeing? Browsing to that page gives you the system's FTP service configuration in JSON format, once you've entered root credentials.
 

mapcevn

Dabbler
Joined
Jul 10, 2019
Messages
40
What is the security risk you're seeing? Browsing to that page gives you the system's FTP service configuration in JSON format, once you've entered root credentials.
My apologies, it was a wrong statement. Given my FreeNAS box is behind my router's firewall, that ftp login is nothing riskier than the normal login using the box's local IP address. If the box were exposed to the internet by either port-forwarding or placing in the DMZ, it would have the same risk too.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
If the box were exposed to the internet by either port-forwarding or placing in the DMZ, it would have the same risk too.
I'm still not seeing the security issue here (and whatever it is, it has nothing whatsoever to do with my script as far as I can see). That link is an API call. Anyone who can reach that (read-only) link can reach the web GUI, and anyone who can authenticate has root credentials. The security risk is having the web GUI exposed, not (as such) having an API endpoint accessible.
 

Juppers

Dabbler
Joined
Mar 19, 2017
Messages
11
This isn't saved if you change to a new boot device and restore your configuration from a backup. /root is not a good place for this, it could be wiped out many ways.
 
Top