Let's Encrypt Local Servers and Devices

This resource was originally created by user: Basil Hendroff on the TrueNAS Community Forums Archive. Please DM this account or comment in this thread to claim it.

When accessing internal servers and devices, are you tired of seeing warning messages from your browser informing you that ‘Your connection is not secure’? Want to set up secure communication for supported systems?

This scripted resource builds a Let’s Encrypt toolbox in a jail including acme.sh, an LE client, and an eclectic collection of useful tools for centrally managing LE certificates for a variety of systems. The following systems are currently supported:

  1. TrueNAS and FreeNAS servers.
  2. HP iLO remote server management devices.
  3. FRITZ!Box residential gateway devices.

The script sets up an acme.sh server to handle the issue and automatic renewal of LE certificates (only valid for 90 days) for those systems.

Objectives

The script creates a jail designed to meet these key objectives:

  1. Facilitate the centralised deployment of LE certificates to several groups of internal systems;
  2. Automate the issue and renewal of certificates for those systems (the script installs an acme.sh server in the jail to handle this).
  3. Best practice is to decouple a jail from its data. The script sets up the structures to store certificates and other data files outside the jail.

Requirements

The requirements for issuing certificates to internal systems are:

  1. You must own or be able to control a public domain name.
  2. Your internal DNS must be capable of resolving internal host names, based on the public domain name, to matching internal IP addresses. This is commonly referred to as split DNS.
  3. To be able to issue certificates automatically, your DNS Provider must be one that acme.sh recognises as providing automatic DNS API integration.

If you tick these requirements, proceed to GitHub - basilhendroff/truenas-iocage-letsencrypt: A Let's Encrypt toolbox including acme.sh, deploy-freenas and python-hpilo. for scripted installation instructions.

Acknowledgements

  1. If it were not for the ground-breaking efforts of @danb35 to implement a means of deploying LE certificates to FreeNAS, and now TrueNAS, servers (refer to the community resource Let’s Encrypt with FreeNAS 11.1 and later), centralised TrueNAS and FreeNAS certificate management for this resource would not be possible.
  2. Dennis Kaarsemaker for implementing python-hpilo, a python library and command-line tool, for interacting with HP iLO devices.
  3. Neil Pang for the LE client acme.sh and FRITZ!Box deploy hook.
1 Like

I’d seen this resource when Basil posted it, but apparently had missed this section–I have a couple of HPE servers with iLO, and had pretty much given up on being able to automate cert deployment to them. It’s nowhere near as convenient as Dell’s iDRAC (their racadm will directly deploy the cert/key without your having to generate a CSR on the host itself), but now I know there’s a tool to do it.

If anyone wants to deploy a cert to a HPE iLO controller without the surrounding jail environment created in this resource, I’ve tweaked Basil’s script a bit to make it more generally applicable:

2 Likes