Hello, I’ve managed to recently make an ACME DNS certificate which is stored inside /etc/certificates. Some apps of TrueNAS got a Certificate field and some don’t, like Mealie. I use Mealie with a certificate but since there isn’t the field I’ve manuallyt mounted /etc/certificates in the container as read-only.
But the .key file is in 600 and Mealie run as UID 568 (Apps), so he can’t read the key. What can I do to make Mealie use the certificate and other apps that don’t have “Certificate” field?
Get a cert using separate software running on the NAS (like acme.sh or lego), and then mount/deploy that cert to whatever apps need it
(the better option IMO) put your apps behind a reverse proxy, and use that to handle cert management and TLS termination. And, as a bonus, stop needing the wacky custom ports that TrueNAS wants to use.
For a point-and-click app, the only option I’m aware of for the second is Nginx Proxy Manager:
I run all (or almost all) my apps using Compose and Dockge, and prefer Caddy:
I would suggest putting things behind a reverse proxy as well and use a wildcard cert there to make things easy. With that solution you can also apply different certs in depending on whether the service should only be accessible from LAN and might therefor use some internal ca cert. Maybe you want to have a look at pfsense or opensense in case you still need a firewall solution, that also offers acme, reverse proxy and ca capabilities. And no i ain’t got pfsense stocks ^^ - i just like its possibilities - not really the gui tho That is really pretty oldschool.
That is really pretty oldschool.