LetsEncrypt ssl cert distribution tips?

TrueNAS General
35

Sorry, I’ll have to give you some bullet points (running away at the moment).

You do not have to use the API from cert.local, you can use the API via a script on the truenas.local to do the install part (easier than dealing with the web socket/authorization aspects which can cause you problems if that API changes later).

I wouldn’t build your script in python unless it’s absolutely necessary (acme.sh is built in shell script). …I don’t know python but I’m sure I can scrape together enough ability in a weekend or so to help you out if you need/want.

To build a cert updater, sans API, I would:

BRIEF:

  1. ABC on cert.local only calls ACME.sh for a given client.
  2. XYZ on cert.local only echos the cert for a given client argument.

NOTE:

  • cert.local is the VM,jail,raspi, etc. which has acme.sh.
  • truenas.local is our local thing which needs the cert (and we need to use the API to get the cert “installed”.

STEPS:
on each client (truenas.local for example) a script calls ABC@cert.local via ssh based on a scheduler (e.g., cron) to get a cert built for it.

on each client (truenas.local) at a later time, a script calls XYZ@cert.local via ssh. if a cert is returned, install it, restart services, etc.

This is essentially how I communicate in my local network with headless services like my git server.

I don’t know how long it takes to generate a cert when you call/use ACME.sh but I assume it takes a while (hence why I would split the operations up into two pieces; ‘order’ and ‘recieve’).

Again, sorry for the bullet point response but I have written down (most of my setup) for my headless git server which you can see how I use a simple ssh call to a jail which returns my repository list and repository logs here (similar mindset):

Which is bascially small scripts that look like this (I gave you a link to my not-so-great writup/example so you can see how I treated script arguments–trivial task, I know, but worth the mention).

ssh                     \
    -l user             \
    -i ~/.ssh/id_rsa    \
    user@remote.local   \
    -t "scriptcall.sh"

Here is a secondary form of that but if you want to issue a series of commands–just in case your calling me an idiot because calls to acme.sh are almost instant.

ssh                     \
    -l user             \
    -i ~/.ssh/id_rsa    \
    user@remote.local   \
<< EOF
echo "Hello World!"
# run_another_command
# A newline is important before final EOF.

EOF

Last note:
If you really wanted to push these certs from cert.local via ssh you can (I only spent 10 minutes or so looking but I’m almost sure) use ssh-copy-id as a framework.

Sorry, gotta run.