Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Unable to create an ACME certificate in 11.3

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049
The FreeNAS 11.3 User Guide (UG) states the following under the section on ACME Certificates:

To create a new ACME certificate, go to System ➞ Certificates, click  (Options) for an existing certificate signing request, and click Create ACME Certificate.

However, there is no option in 11.3 to allow you to do this. The Certificates UI in 11.3 appears to be the same as it was in 11.2. It doesn't look like the new UI component has been added. Before I file a bug report, can others please confirm or debunk this?

On a related note, by following the instructions on ACME DNS in the UG and AWS documentation, I had no problems setting up an ACME DNS Authenticator. However, it's not clear to me how to tell whether it's working or not. Anyone able to enlighten me on this? Maybe, like when setting up Cloud Credentials, a Verify Credentials button could be useful.
 
Last edited:

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049
Some background on how I got to this point.

I'm trying to see how far I can get with the NextCloud plugin (v17.0.1) under 11.3. Now I know that there are excellent posts and scripts on how to set up NextCloud in an iocage jail, but that's not the point here. I'm trying to figure out how to get past all the gotcha's in installing and configuring the plugin. I'm also trying to gauge the level of effort required to keep the plugin working whenever FreeNAS or the plugin are updated.

I've managed to work my way through many of the issues and I am now trying to address this warning on the NextCloud admin page.

screenshot.123.png


The tips aren't especially helpful in this case as they refer to Apache rather than Nginx, which the NextCloud plugin uses. So I searched the NextCloud documentation for Nginx and manage to locate several useful configuration examples. Browsing them, I realised I needed an SSL certificate and key.

Let's Encrypt is mentioned frequently in forum posts so I head there. I came across the paragraph below.

screenshot.124.png


I recalled seeing something about ACME in the 11.3 release notes. I looked up the UG. I couldn't find the option to create an ACME certificate on my server, so I set up the ACME DNS Authenticator in the hope that the option would somehow magically appear. It didn't. So here I am.
 
Last edited:

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049
I had no problems setting up an ACME DNS Authenticator. However, it's not clear to me how to tell whether it's working or not.
I wonder? The new task manager (top right corner of the GUI) is displaying certificate renewal tasks maybe from the DNS Authenticator.

screenshot.127a.png
 

Patrick M. Hausen

Neophyte Sage
Joined
Nov 25, 2013
Messages
1,480
FWIW I use an Apache proxy in a jail for all inbound web services. That way I can use dehydrated and do not need DNS authentication for Letsencrypt. Port 80 and 443 inbound go to the Apache who then hands it off to one Nextcloud, two instances of Confluence, one Gitea and one Guacamole. This has proven to be a really reliable, easy to manage and scalable concept. Every new application needs one vhost config file and a line in dehydrated's domains.txt file, done.

HTH,
Patrick
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049
@Patrick M. Hausen I love the scalability of your solution!

I'm actually not overly concerned about getting anything working at this stage. My personal agenda with FreeNAS is about seeing what I can realistically expect to achieve within the FreeNAS UI and plugin ecosystem. It's a bit of an academic exercise atm to:
  1. See if I can get the NextCloud plugin working (I'm almost there) reliably and securely.
  2. Understand the NextCloud plugin installation and configuration issues (there are quite a few, though nothing I've identified as a dealbreaker yet).
  3. Understand the stability, or not, of the NextCloud plugin through FreeNAS and plugin version changes.
NextCloud is an awesome, but complex piece of software. I'd like to be in a position to assist other forum members who might be wanting to access NextCloud via the plugin rather than by other means.

Along the way, it gives me a chance to become more familiar with FreeNAS 11.3. There are new capabilities in the 11.3 GUI that didn't exist in earlier versions. It would be good to see these working and maturing over time.

Generally, I've found, if I've said something completely wrong or incomplete, someone on the forum will jump in very quickly and correct me. This hasn't happened with this topic. Reading between the lines of your response and the lack of response from other very capable forum members, I'm thinking that what I've identified in this topic may be a bug after all so I'll submit a ticket shortly.
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049
There's an open ticket for this issue NAS-104865. This issue is expected to be resolved in 11.3-U1.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,317
I've said many times, in many different places, that I disagree with Let's Encrypt's recommendation of certbot as a general-purpose ACME client. It's the "easy button" if your setup matches what they expect, but it's a tangled mess of dependencies that's far more complicated than it has any reason to be. For most purposes, if I can't just run Caddy and have it take care of all the certs on its own, I prefer acme.sh as an ACME client.
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
About that, I do not like to expose my FreeNAS to anything external. Be it for DDNS, Acme, Reverse Proxy, VPN concentrator or anything else, all of these roles I deploy on pfSense. Yes jails are meant to contain incidents and protect FreeNAS, but I always put many security layers wherever I can instead of a single one. FreeNAS being the most valuable asset in my network, it is the one for which I provide the most layers possible.
 

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049

Basil Hendroff

Neophyte Sage
Joined
Jan 4, 2014
Messages
1,049
So part of trying to get the ACME DNS working through the UI was signing up to AWS, which gave me 12 months free access (within limits) to a number of services including 5GB of AWS S3 storage. This gave me an opportunity to play around with the Cloud Sync in the UI. It began to dawn on me that AWS Route 53, used for the DNS Authenticator in the UI, doesn't appear to be one of the services covered under the free tier. Charges are based on usage.

By pure coincidence, I happened to be reading the narrative for danb35's Nextcloud script and realised that Cloudflare is a no-cost DNS authenticator, so I decided to work my way through the Let's Encrypt prerequisites specified in the narrative. On a roll, I've acquiesced to using the script rather than doggedly trying to get the Nextcloud plugin working. I've begun posting my trials and tribulations in the relevant discussion thread.

FWIW I use an Apache proxy in a jail for all inbound web services. That way I can use dehydrated and do not need DNS authentication for Letsencrypt. Port 80 and 443 inbound go to the Apache who then hands it off to one Nextcloud, two instances of Confluence, one Gitea and one Guacamole. This has proven to be a really reliable, easy to manage and scalable concept. Every new application needs one vhost config file and a line in dehydrated's domains.txt file, done.
What Patrick has suggested appealed to me, but I thought was way out of my league to implement. Then I happened across Danb35's Reverse Proxy Caddy script, which seemed to do the equivalent of what Patrick has implemented. I'll give that a crack when I have NextCloud up and running. It just appears to me there's some crossover on both scripts. I'll cross that bridge when I get there.

About that, I do not like to expose my FreeNAS to anything external. Be it for DDNS, Acme, Reverse Proxy, VPN concentrator or anything else, all of these roles I deploy on pfSense. Yes jails are meant to contain incidents and protect FreeNAS, but I always put many security layers wherever I can instead of a single one. FreeNAS being the most valuable asset in my network, it is the one for which I provide the most layers possible.
When I have some time, I'd like to take a close look at pfSense. Having at least six degrees of separation between my FreeNAS servers and the internet appeals to me.
 
Last edited:

tortue

Neophyte
Joined
Jan 13, 2018
Messages
8
There's an open ticket for this issue NAS-104865. This issue is expected to be resolved in 11.3-U1.
Unless I'm missing something, doesn't look like it made it into 11.3 U1. Just updated to it from 11.3 and still only have an Add option on the certificates page.
 
Top