WebDAV, Let's Encrypt TLS/SSL Certificates, and Domain Names

[Monkey_Demon]

I've posted about this subject before, but in a very different context. This time I've made much more progress and believe I'm almost there. I just need some help to get over the goal line.

Summary
In a nutshell, I've successfully created a WebDAV share and now want to access it with https:// instead of http://. Also, I more or less followed these instructions to integrate Let's Encrypt certificates with FreeNAS, and everything seemed successful. I also switched from NO-IP to Duck DNS for DDNS service and for my FQDN, because NO-IP does not have an easy way to update certificates.

Yet, accessing the share from my iMac, I'm still having problems. Here's a summary of what happens when in Finder I select Go > Connect to Server with the following addresses:

1. http://<local ip address>:8080/<share name> -- successful, but with a warning message that this is an "Unsecured Connection." (BTW, this works fine in terms of reading & creating files on the share. So I know there's not an internal permission problem.)
2. https://<local ip address>:8080/<share name> -- get an error message: "There was a problem connecting to the server <local ip address>. Contact your system administrator for more information."
3. http://<FQDN>:8080/<share name> -- get error message: "There was a problem connecting to the sever "<FQDN>". This file server will not allow any additional users to log on. Try to connect again later." (Even though no users are connected to the WebDAV share.)
4. https://<FQDN>:8080/<share name> -- identical to #3. Ultimately, this is the option I want to use.

Here <local ip address> is the internal (local) IP address of the FreeNAS system, e.g., "192.168.1.150"; <share name> is the name of the share, e.g. "myshare"; and <FQDN> is the fully qualified domain name, e.g. "mysubdomain.duckdns.org".

My question is what is the problem here, or at least how should I troubleshoot this?

Details

Here are the steps that led me to this point:

1. Create a dataset for the share. Use FreeNAS > Pools to create an overall dataset volume, Volume1, then a Documents dataset to hold documents, and then a Library dataset to hold specific documents for this particular share. The overall path is /mnt/Volume1/Documents/Library.
2. Create the WebDAV share. FreeNAS > Sharing > WebDAV Shares, and use the overall path and check "Change User & Group Ownership". Call it "myshare".
3. Start the WebDAV service. FreeNAS > Services > WebDAV.
4. Register with Duck DNS because I need DDNS service. The <FQDN> is "mysubdomain.duckdns.org"
5. Configure FreeNAS to update Duck DNS regularly, so when my router's external IP address changes, Duck DNS's DDNS is aware of the new address. FreeNAS > Tasks > Cron Jobs. See "How to install DuckDNS.org (a how-to guide)."
6. Create a jail, "acme": FreeNAS > Jails > ADD, and settings VNET checked, vnet0 interface, IPv4 address set to <jail ip address> (e.g., "192.168.1.153"), and IPv4 Netmask of 24.
7. In the acme jail (FreeNAS > Jails > acme ... Shell) install acme.sh and deploy_freenas.py as described in "Let's Encrypt with FreeNAS 11.1 and later 0.3".
8. Use the general approach for configuring deploy_freenas.py by creating a new file, "deploy_config", as described in "Let's Encrypt with FreeNAS 11.1 and later 0.3" with the following settings: password = as described in the instructions, cert_fqdn = mysubdomain.duckdns.org (i.e., <FQDN>), and ftp_enabled = true (because I also have FTP running).
9. Using the DNS challenge method, obtain the TLS/SSL certificate as described in "Let's Encrypt with FreeNAS 11.1 and later 0.3". Because the instructions use Cloudflare but I'm using DuckDNS, I followed the instructions in Item 27 on "How to Use DNS API." Also, since FreeNAS 11.2 makes csh the default shell in the acme jail, make appropriate changes for csh when issuing these two commands:
   • setenv DuckDNS_Token "<token from DuckDNS home page>"
   • acme.sh --insecure --issue --dns dns_duckdns -d mysubdomain.duckdns.org
10. Automate certificate renewal by creating a cron job as described in "Let's Encrypt with FreeNAS 11.1 and later 0.3". FreeNAS > Tasks > Cron Jobs. Use an iocage command to make the jailed acme script work with the latest versions of FreeNAS. The cron job issues this command:
    • iocage exec acme /root/.acme.sh/acme.sh --cron
11. On my (Linksys WRT 1900ACS) router, forward port 80 to the FreeNAS system (Router Settings > Security > Apps and Gaming > Single Port Forwarding, with External Port = 80, Internal Port = 80, Protocol = Both (TCP & UDP), and Device IP# = <local ip address> (i.e., 192.168.1.150).

Hypotheses

I suspect my problem lies in one of three places:

1. The TLS/SSL certificate is isolated in the jail. The instructions on "Let's Encrypt with FreeNAS 11.1 and later 0.3" simply say acme.sh will "call deploy_freenas.py to install the cert on FreeNAS," but where? Do I need to create a mount point and run everything on it so the certificate(s) will be available outside the jail?
2. Do I somehow need to use the acme jail's IP address (e.g. 192.168.1.153) instead of the FreeNAS system's (e.g., 192.168.1.150)? Where? In the port forwarding?
3. Instead of port 80, should I be forwarding 8080 because this is a WebDAV application?

But I'm only grasping at straws here. I'm sure someone out there has already done something similar and can help me get unstuck. Please do.

Thanks!

 

[dlavigne]

Did you make any progress with this?