Stuck Deploying Certs using scripts for HTTPS

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
I am following the instructions for "Let's Encrypt with FreeNAS 11.1 and later 0.3" from the advanced resources. However I cannot get https: to work.
I can see the certs and keys that are created in the acme directories.
This appears to fail when the deploy_freenas.py tries to execute.
I included the steps I followed to see if there is something I am just missing. Is there something about my Freenas setup that I am missing?


Installed acme.sh using "curl https://get.acme.sh | sh" cloned the github for deploy-freenas created the deploy.config with password only. bash export CF_Key="fkjflakjfalfjal;fjkaflasjfalfjalfjalfajflaja;ld" export CF_Email="me@gmail.com" .acme.sh/acme.sh --issue -d www.mydomain.com --dns dns_cf --reloadcmd " ~/deploy-freenas/deploy_freenas.py"
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
when it first ran. The error was "Reload error for :"
However 4 files were generated: *.conf; *.csr; *csr.conf; and *.key

If i just try to run . ~/deploy-freenas/deploy_freenas.py
bash:
Import and activate a SSL/TLS certificate into FreeNAS 11.1 or later
Uses the FreeNAS API to make the change, so everything's properly saved in the config database and captured in a backup.

Requires paths to the cert (including the any intermediate CA certs) and private key, and username, password, and FQDN of your FreeNAS system.

Your private key should only be readable by root, so this script must run with root privileges. And, since it contains your root password, this script itself should only be readable by root.

Source: https://github.com/danb35/deploy-freenas
: No such file or directory
bash: import: command not found
bash: import: command not found
bash: import: command not found
bash: import: command not found
bash: import: command not found
bash: import: command not found
bash: import: command not found
bash: import: command not found
from: can't read /var/mail/datetime
from: can't read /var/mail/urllib3.exceptions
bash: /root/deploy-freenas/deploy_freenas.py: line 28: syntax error near unexpected token `category=InsecureRequestWarning'
bash: /root/deploy-freenas/deploy_freenas.py: line 28: `requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)'
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
If i just try to run . ~/deploy-freenas/deploy_freenas.py
The leading period is resulting in bash trying to interpret the script data, rather than Python, hence all the errors you're seeing. Try running it with /root/deploy-freenas/deploy_freenas.py.
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
Interesting. After changing the permissions to make the file executable, I was able to run it with this output: Traceback (most recent call last): File "/root/deploy-freenas/deploy_freenas.py", line 58, in <module> with open(PRIVATEKEY_PATH, 'r') as file: FileNotFoundError: [Errno 2] No such file or directory: '/root/.acme.sh/freenas.local/freenas.local.key'

I checked and there is not a freenas.local path or *.key . Assume this is generated when acme.sh runs and comes from lets encrypt. If that is true, then I may be stuck for a few days......

Thanks for your help BTW.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I checked and there is not a freenas.local path or *.key
No, there wouldn't be--freenas.local isn't a valid Internet domain name. If FreeNAS isn't configured to use your FQDN, you'll need to configure it in the deploy_config file with the cert_fqdn setting.
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
I have edited the config file to
Code:
password = YourReallySecureRootPassword
cert_fqdn = www.mydomain.com  ## 
#connect_host = baz.bar.foo
verify = false
protocol = https://
port = 443


Rerunning deploy_freenas.py

I receive an error for the fullchain path. I don't know what the fullchain.cer is.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I don't know what the fullchain.cer is.
fullchain.cer should be created in /root/.acme.sh/your_fqdn/. It consists of your server certificate and the intermediate CA certificate in a single file.
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
Thanks.
I only have the 4 files there. fqdn.conf, fqdn.csr, fqdn.csr.conf and fqdn.key
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I only have the 4 files there. fqdn.conf, fqdn.csr, fqdn.csr.conf and fqdn.key
So you never got the cert in the first place. Are you using Cloudflare for your DNS hosting? Did you use the Global API key? Did you use the email address associated with your Cloudflare account?
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
Yes, I used the Cloudflare global API key and email. I have confirmed that they are correctly documented in the account.conf in acme.sh.
Is there a way that I could manually create it. Could this be related to how setup my DNS records(a, mx, aaaa) at Cloudflare?
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Is there a way that I could manually create it
No, Let's Encrypt certs can only be done through a client application of some sort. What's the complete output (in code tags) of the entire issue command? When you run it, the --reloadcmd should use the absolute path, not the ~ path.
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
When you run it, the --reloadcmd should use the absolute path, not the ~ path.

So while trying to figure out the issue with the reloadcmd. (which you showed me how to correct the path name). I have used up my requests with from Let's Encrypt running the acme.sh command for the next few days. During my troubleshooting attempts, I deleted the fqdn directories. I kept screen captures for the first attempt to deploy and after review, I see that the cert for fullchain was created the first go around.

I think my path ahead is to rerun(when my LetsEncrypt timer ends)
Code:
.acme.sh/acme.sh --issue -d www.mydomain.com --dns dns_cf --reloadcmd "/root/deploy-freenas/deploy_freenas.py"

Would you agree?

While I get the basic concept of what going on, there are a lot of nuances that are just passing me by. Lots of firsts for me. THANKS for your help getting past this hurdle.

BTW - how is socat installed? - Im also new to freebsd.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I have used up my requests with from Let's Encrypt running the acme.sh command for the next few days.
The "failed validation" rate limit only blocks you for an hour.
.acme.sh/acme.sh --issue -d www.mydomain.com --dns dns_cf --reloadcmd "/root/deploy-freenas/deploy_freenas.py"
Looks right.
how is socat installed?
It would have to be done in a jail. But since you're using DNS validation, you don't need it.
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
The "failed validation" rate limit only blocks you for an hour.
I was able to overcome by adding “--staging” to test against Let’s Encrypt’s staging environment (which issues test certificates that don’t work, but has high rate limits).

I still have something wrong related to deploy_freenas.py. Is this still Lets Encrypt not allowing me to connect?
Code:
[root@freenas ~]# /root/deploy-freenas/deploy_freenas.py
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 141, in _new._conn  
(self.host, self.port), self.timeout, **extra_kw)
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/connection.py", line 83, in create_connection     raise err
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/connection.py", line 73, in create_connection     sock.connect(sa)
ConnectionRefusedError: [Errno 61] Connection refused

During handling of the above exception, another exception occurred: 

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line601, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line346, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line850, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 284, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 150, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x807a6e320>: Failed to establish a new connection: [Errno 61] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 440,in send
    timeout=timeout
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=443): Max retries exceeded with url: /api/v1.0/system/certificate/import/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x807a6e320>: Failed to establish a new connection: [Errno 61] Connection refused',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/deploy-freenas/deploy_freenas.py", line 72, in <module>
    "cert_privatekey": priv_key,
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 112, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 508,in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 618,in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 508,in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='localhost', port=443): Max retries exceeded with url: /api/v1.0/system/certificate/import/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x807a6e320>: Failed to establish a new connection: [Errno 61] Connection refused',))
[root@freenas ~]#
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Try setting the protocol to http:// rather than https://. If you don't have a cert yet, the system won't be able to do https at all, which is probably why you're seeing the connection refused.
 

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
Try setting the protocol to http:// rather than https://
System/General/Protocol was set to http+https, changed it to http.
- No Luck - same connection error as before.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
No, the protocol in your deploy-config file.

Try this for your deploy-config:
Code:
[deploy]
password = YourReallySecureRootPassword
cert_fqdn = your_fqdn

You shouldn't need to set anything else in there. You can set system/general/protocol back to http+https.
 
Last edited:

endnot

Dabbler
Joined
Feb 6, 2019
Messages
33
That worked.
Certificate import successful Certificate list successful
Setting active certificate successful

The GUI SSL Cert show up from Letsencrypt - but I am still not able seeing a secure link on my browser.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I am still not able seeing a secure link on my browser.
When you browse to https://your_fqdn, does it bring up your FreeNAS box? Because it won't be secure if you browse by IP or using freenas.local.
 
Top