Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

TLS certificates with TrueCommand

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,295
As I've been able to use Let's Encrypt to "encrypt all the things!", attention naturally turns to TrueCommand. As it's in a Docker container with a persistent data directory, it would seem like a Let's Encrypt client could put the cert there for use, but the manual doesn't mention that as a possibility. In fact, it only mentions manually uploading the cert through the GUI. Is that really the only way to apply a cert to a TC installation? Edit: is it possibly as simple as dropping the new files into /data/truecommand/ ?

Yes, I know about a reverse proxy--I'm talking about the TC installation handling the TLS termination itself.
 
Last edited:

kenmoore

TrueCommand Project Lead
iXsystems
Joined
May 1, 2019
Messages
36
Yes, with a caveat:
You can manually drop your custom cert files into the /data directory for the TrueCommand container if you follow these steps:
1. Make sure you use the ".custom" suffixes on the files
* [datadir]/truecommand/server.key.custom
* [datadir]/truecommand/server.crt.custom
2. Restart the docker container
* This will detect those files and re-load them into the proper places within the container itself to make them "live".
* If you use the TrueCommand UI to import the files, then it dynamically triggers updates for everything inside the container, so no restart is needed.

Additional option: Use the TrueCommand API!
This is exactly what the TrueCommand UI does in the background, so any certs submitted this way will get loaded/used instantly:

API reference: https://api.ixsystems.com/truecommand/api/ssl/cert_import/
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,295
Additional option: Use the TrueCommand API!
That's what I'd been kind of hoping for, but hadn't yet seen the docs. So something like this should do the trick:
curl -l -g --data '{"args" : { "pem" : "$(cat fullchain.pem)", "key" : "$(cat privkey.pem)" } }' -u "username:password" -X GET http://[IP_ADDRESS]/api/ssl/cert_import

Edit: well, it returns this:
Code:
{
    "result": "success"
}

so I guess it does work. Now to get acme.sh to use that whole command as a renew hook.

Edit 2: it's kind of interesting that authentication is with username/password rather than API tokens. Is there any thought of changing to these? Seems they would have the potential of being more secure.
 
Last edited:

ornias

Member
Joined
Mar 6, 2020
Messages
200
I personally think this is rather complex way if doing letsencrypt with docker.
For example: I run a (single node) docker swarm, everything sits behind a traefik reverse proxy.
Once setup I can spin up every gosh damn container I want and everything gets A+ (SSL labs) SSL certs using letsencrypt like magic.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,295
I personally think this is rather complex way if doing letsencrypt with docker.
Different strokes, different folks. To me, your method sounds much more complex. "Get cert for service, install cert on service" seems pretty straightforward, particularly if "install cert on service" can be automated with a single command (as it can be). No need for a reverse proxy, and I'll admit I don't know enough about Docker to know what a "docker swarm" is, much less why I might want one.
 
Top