I’m using certbot for my other systems and really don’t want to create an account with the default providers in the current truenas releases (I have enough accounts). Is there a reputable repository of scripts or a low friction way to generate valid certificates that doesn’t require an account? I’d prefer to do this in a way that truenas could then self-maintain, i.e by creating a functional ACME DNS-Authenticator entry, rather than importing scripts I create.
You do need a least an account with your DNS provider (and an API key). But seeing that you use certbot you should already have that.
You can use “third-party” ACME clients (like certbot or acme.sh) to create/renew certificates and deploy them to TrueNAS using the TrueNAS API. See this guide and script created by @dan for more information.
Personally, I am using the shell Authenticator option with a custom script for my DNS provider. I can share that script, but I don’t think you have the same DNS provider as me. Maintaining your own script probably doesn’t count as “low friction”.
There are a few options here:
- Move DNS for your domain to one of the supported DNS providers, then use the built-in mechanisms in TrueNAS.
- Keep DNS for your domain where it is, write and maintain a script to handle the challenge and clean-up, and use that with the
shellauthenticator. - Obtain the cert by some means other than TrueNAS’ built-in mechanism, then use the API to import it to TrueNAS.
- If you’re using 25.10, or want to “upgrade” to that version, sign up for TrueNAS Connect and register your NAS with that system. One of things that will do is generate a certificate for your system (with a URL like
https://fd15-b306-7e81-ba42-be24-11ff-fe63-319e.cr49fa5fij885c9jhncnkquoin20d23t52an3ug.l226e8evc5ldjcspgcppqt378sj9n4btef62ojo.truenas.direct/ui/dashboard–that’s what bookmarks are for) and keep it up to date.
I haven’t played much with TrueNAS Connect yet, but its dependence on 25.10 is a problem right now IMO.[1] Its use of DNS to get the cert follows the method developed by Plex some years back, and gives you a pretty unwieldy URL, but you don’t need to mess with local DNS at all to make that cert work. This really is going to be the “easy button.”
I use the third method, which I describe more fully here:
Currently, I’m running a small LXC (under Proxmox, though you could do the same in TrueNAS), using lego there to obtain a wildcard cert, and then calling (as a renew-hook) a simple shell script to deploy that cert to any of my systems that can use it (my Proxmox hosts, my IPMI/iDRAC BMCs, and my NAS). Rather than my own Python script, I’m using @jjrushford’s tnascert-deploy there–as a Go binary, it doesn’t have any external dependencies.
The key to the third method is that you can get the cert anywhere you want, using any tool you want. From that tool, you can call my script or tnascert-deploy to deploy the cert to your NAS. Everything’s still automated, and you can use the tool chain you already know to obtain the cert.
iX only recommends releases for “early adopters” for at least the first few months, and it was only released last week–and threads here suggest it’s a bit more troublesome than some have been. ↩︎
1 Like
The third method currently looks like the easiest. Thanks for spelling it out. This also gives me yet another reason to get off truenas.local
I hear you when you suggest waiting for a stable release. I’ll probably wait for at least .2
Set up and working with DNS ACME via certbot. I’m using wildcard certificates and my local DNS has an override directing the subdomain to a local IPv4 IP. Is there a more elegant solution and does this create any new security issues? I realize renewal can be done better.
sudo certbot certonly --manual --preferred-challenges dns -d *.[DOMAIN GOES HERE]
#Certificate is saved at: /etc/letsencrypt/live/[DOMAIN]/fullchain.pem
#Key is saved at: /etc/letsencrypt/live/[DOMAIN]/privkey.pem
#This certificate expires on [3 months time]
Not that I know of; that’s pretty much how I handle it.